From bcf288ee6fa556c6a189a0c85a76ea877a280d71 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 18 Feb 2022 15:56:29 +0100 Subject: [PATCH] 5.15-stable patches added patches: atl1c-fix-tx-timeout-after-link-flap-on-mikrotik-10-25g-nic.patch bonding-fix-data-races-around-agg_select_timer.patch bonding-force-carrier-update-when-releasing-slave.patch brcmfmac-firmware-fix-crash-in-brcm_alt_fw_path.patch cfg80211-fix-race-in-netlink-owner-interface-destruction.patch dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch dpaa2-switch-fix-default-return-of-dpaa2_switch_flower_parse_mirror_key.patch drm-cma-helper-set-vm_dontexpand-for-mmap.patch drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch drm-i915-ttm-tweak-priority-hint-selection.patch drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch ipv4-fix-data-races-in-fib_alias_hw_flags_set.patch ipv6-fix-data-race-in-fib6_info_hw_flags_set-fib6_purge_rt.patch ipv6-mcast-use-rcu-safe-version-of-ipv6_get_lladdr.patch ipv6-per-netns-exclusive-flowlabel-checks.patch iwlwifi-mvm-don-t-send-sar-geo-command-for-3160-devices.patch iwlwifi-pcie-fix-locking-when-hw-not-ready.patch iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch libsubcmd-fix-use-after-free-for-realloc-...-0.patch mac80211-mlme-check-for-null-after-calling-kmemdup.patch net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch net-dsa-lan9303-add-vlan-ids-to-master-device.patch net-dsa-lan9303-fix-reset-on-probe.patch net-dsa-lan9303-handle-hwaccel-vlan-tags.patch net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch net-dsa-mv88e6xxx-flush-switchdev-fdb-workqueue-before-removing-vlan.patch net-ieee802154-ca8210-fix-lifs-sifs-periods.patch net-phy-mediatek-remove-phy-mode-check-on-mt7531.patch net-smc-avoid-overwriting-the-copies-of-clcsock-callback-functions.patch net_sched-add-__rcu-annotation-to-netdev-qdisc.patch netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch revert-net-ethernet-bgmac-use-devm_platform_ioremap_resource_byname.patch selftests-exec-add-non-regular-to-test_gen_progs.patch selftests-netfilter-disable-rp_filter-on-router.patch selftests-netfilter-fix-exit-value-for-nft_concat_range.patch tipc-fix-wrong-publisher-node-address-in-link-publications.patch --- ...ter-link-flap-on-mikrotik-10-25g-nic.patch | 35 ++ ...x-data-races-around-agg_select_timer.patch | 138 ++++++++ ...-carrier-update-when-releasing-slave.patch | 49 +++ ...rmware-fix-crash-in-brcm_alt_fw_path.patch | 49 +++ ...-netlink-owner-interface-destruction.patch | 81 +++++ ...x-used-in-one-step-timestamping-path.patch | 37 ++ ...dpaa2_switch_flower_parse_mirror_key.patch | 49 +++ ...ma-helper-set-vm_dontexpand-for-mmap.patch | 43 +++ ...-gvt-make-drm_i915_gvt-depend-on-x86.patch | 33 ++ ...15-ttm-tweak-priority-hint-selection.patch | 46 +++ ...ropmon_net_event-trace_napi_poll_hit.patch | 103 ++++++ ...data-races-in-fib_alias_hw_flags_set.patch | 159 +++++++++ ...fib6_info_hw_flags_set-fib6_purge_rt.patch | 161 +++++++++ ...-rcu-safe-version-of-ipv6_get_lladdr.patch | 97 ++++++ ...per-netns-exclusive-flowlabel-checks.patch | 98 ++++++ ...end-sar-geo-command-for-3160-devices.patch | 87 +++++ ...i-pcie-fix-locking-when-hw-not-ready.patch | 34 ++ ...e-gen2-fix-locking-when-hw-not-ready.patch | 34 ++ ...fix-use-after-free-for-realloc-...-0.patch | 66 ++++ ...check-for-null-after-calling-kmemdup.patch | 118 +++++++ ...whenever-mc-processing-gets-disabled.patch | 49 +++ ...an9303-add-vlan-ids-to-master-device.patch | 75 ++++ .../net-dsa-lan9303-fix-reset-on-probe.patch | 36 ++ ...dsa-lan9303-handle-hwaccel-vlan-tags.patch | 69 ++++ ...p-fix-use-after-free-in-gswip_remove.patch | 34 ++ ...v-fdb-workqueue-before-removing-vlan.patch | 81 +++++ ...e802154-ca8210-fix-lifs-sifs-periods.patch | 36 ++ ...atek-remove-phy-mode-check-on-mt7531.patch | 43 +++ ...copies-of-clcsock-callback-functions.patch | 66 ++++ ...add-__rcu-annotation-to-netdev-qdisc.patch | 327 ++++++++++++++++++ ...-unregister-hooks-on-init-error-path.patch | 32 ++ ...cket-fix-a-typo-in-socket_mt_destroy.patch | 34 ++ ...g-string-after-possible-strlen-on-it.patch | 50 +++ ...he-dif-and-sdif-check-in-ping_lookup.patch | 78 +++++ ...evm_platform_ioremap_resource_byname.patch | 73 ++++ ...ec-add-non-regular-to-test_gen_progs.patch | 40 +++ ...etfilter-disable-rp_filter-on-router.patch | 51 +++ ...-fix-exit-value-for-nft_concat_range.patch | 33 ++ queue-5.15/series | 39 +++ ...er-node-address-in-link-publications.patch | 39 +++ 40 files changed, 2802 insertions(+) create mode 100644 queue-5.15/atl1c-fix-tx-timeout-after-link-flap-on-mikrotik-10-25g-nic.patch create mode 100644 queue-5.15/bonding-fix-data-races-around-agg_select_timer.patch create mode 100644 queue-5.15/bonding-force-carrier-update-when-releasing-slave.patch create mode 100644 queue-5.15/brcmfmac-firmware-fix-crash-in-brcm_alt_fw_path.patch create mode 100644 queue-5.15/cfg80211-fix-race-in-netlink-owner-interface-destruction.patch create mode 100644 queue-5.15/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch create mode 100644 queue-5.15/dpaa2-switch-fix-default-return-of-dpaa2_switch_flower_parse_mirror_key.patch create mode 100644 queue-5.15/drm-cma-helper-set-vm_dontexpand-for-mmap.patch create mode 100644 queue-5.15/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch create mode 100644 queue-5.15/drm-i915-ttm-tweak-priority-hint-selection.patch create mode 100644 queue-5.15/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch create mode 100644 queue-5.15/ipv4-fix-data-races-in-fib_alias_hw_flags_set.patch create mode 100644 queue-5.15/ipv6-fix-data-race-in-fib6_info_hw_flags_set-fib6_purge_rt.patch create mode 100644 queue-5.15/ipv6-mcast-use-rcu-safe-version-of-ipv6_get_lladdr.patch create mode 100644 queue-5.15/ipv6-per-netns-exclusive-flowlabel-checks.patch create mode 100644 queue-5.15/iwlwifi-mvm-don-t-send-sar-geo-command-for-3160-devices.patch create mode 100644 queue-5.15/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch create mode 100644 queue-5.15/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch create mode 100644 queue-5.15/libsubcmd-fix-use-after-free-for-realloc-...-0.patch create mode 100644 queue-5.15/mac80211-mlme-check-for-null-after-calling-kmemdup.patch create mode 100644 queue-5.15/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch create mode 100644 queue-5.15/net-dsa-lan9303-add-vlan-ids-to-master-device.patch create mode 100644 queue-5.15/net-dsa-lan9303-fix-reset-on-probe.patch create mode 100644 queue-5.15/net-dsa-lan9303-handle-hwaccel-vlan-tags.patch create mode 100644 queue-5.15/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch create mode 100644 queue-5.15/net-dsa-mv88e6xxx-flush-switchdev-fdb-workqueue-before-removing-vlan.patch create mode 100644 queue-5.15/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch create mode 100644 queue-5.15/net-phy-mediatek-remove-phy-mode-check-on-mt7531.patch create mode 100644 queue-5.15/net-smc-avoid-overwriting-the-copies-of-clcsock-callback-functions.patch create mode 100644 queue-5.15/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch create mode 100644 queue-5.15/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch create mode 100644 queue-5.15/netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch create mode 100644 queue-5.15/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch create mode 100644 queue-5.15/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch create mode 100644 queue-5.15/revert-net-ethernet-bgmac-use-devm_platform_ioremap_resource_byname.patch create mode 100644 queue-5.15/selftests-exec-add-non-regular-to-test_gen_progs.patch create mode 100644 queue-5.15/selftests-netfilter-disable-rp_filter-on-router.patch create mode 100644 queue-5.15/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch create mode 100644 queue-5.15/tipc-fix-wrong-publisher-node-address-in-link-publications.patch diff --git a/queue-5.15/atl1c-fix-tx-timeout-after-link-flap-on-mikrotik-10-25g-nic.patch b/queue-5.15/atl1c-fix-tx-timeout-after-link-flap-on-mikrotik-10-25g-nic.patch new file mode 100644 index 00000000000..391081cd667 --- /dev/null +++ b/queue-5.15/atl1c-fix-tx-timeout-after-link-flap-on-mikrotik-10-25g-nic.patch @@ -0,0 +1,35 @@ +From bf8e59fd315f304eb538546e35de6dc603e4709f Mon Sep 17 00:00:00 2001 +From: Gatis Peisenieks +Date: Fri, 11 Feb 2022 08:51:23 +0200 +Subject: atl1c: fix tx timeout after link flap on Mikrotik 10/25G NIC + +From: Gatis Peisenieks + +commit bf8e59fd315f304eb538546e35de6dc603e4709f upstream. + +If NIC had packets in tx queue at the moment link down event +happened, it could result in tx timeout when link got back up. + +Since device has more than one tx queue we need to reset them +accordingly. + +Fixes: 057f4af2b171 ("atl1c: add 4 RX/TX queue support for Mikrotik 10/25G NIC") +Signed-off-by: Gatis Peisenieks +Link: https://lore.kernel.org/r/20220211065123.4187615-1-gatis@mikrotik.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -900,7 +900,7 @@ static void atl1c_clean_tx_ring(struct a + atl1c_clean_buffer(pdev, buffer_info); + } + +- netdev_reset_queue(adapter->netdev); ++ netdev_tx_reset_queue(netdev_get_tx_queue(adapter->netdev, queue)); + + /* Zero out Tx-buffers */ + memset(tpd_ring->desc, 0, sizeof(struct atl1c_tpd_desc) * diff --git a/queue-5.15/bonding-fix-data-races-around-agg_select_timer.patch b/queue-5.15/bonding-fix-data-races-around-agg_select_timer.patch new file mode 100644 index 00000000000..db64830f37e --- /dev/null +++ b/queue-5.15/bonding-fix-data-races-around-agg_select_timer.patch @@ -0,0 +1,138 @@ +From 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 14 Feb 2022 11:15:53 -0800 +Subject: bonding: fix data-races around agg_select_timer + +From: Eric Dumazet + +commit 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 upstream. + +syzbot reported that two threads might write over agg_select_timer +at the same time. Make agg_select_timer atomic to fix the races. + +BUG: KCSAN: data-race in bond_3ad_initiate_agg_selection / bond_3ad_state_machine_handler + +read to 0xffff8881242aea90 of 4 bytes by task 1846 on cpu 1: + bond_3ad_state_machine_handler+0x99/0x2810 drivers/net/bonding/bond_3ad.c:2317 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +write to 0xffff8881242aea90 of 4 bytes by task 25910 on cpu 0: + bond_3ad_initiate_agg_selection+0x18/0x30 drivers/net/bonding/bond_3ad.c:1998 + bond_open+0x658/0x6f0 drivers/net/bonding/bond_main.c:3967 + __dev_open+0x274/0x3a0 net/core/dev.c:1407 + dev_open+0x54/0x190 net/core/dev.c:1443 + bond_enslave+0xcef/0x3000 drivers/net/bonding/bond_main.c:1937 + do_set_master net/core/rtnetlink.c:2532 [inline] + do_setlink+0x94f/0x2500 net/core/rtnetlink.c:2736 + __rtnl_newlink net/core/rtnetlink.c:3414 [inline] + rtnl_newlink+0xfeb/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000050 -> 0x0000004f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 25910 Comm: syz-executor.1 Tainted: G W 5.17.0-rc4-syzkaller-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_3ad.c | 30 +++++++++++++++++++++++++----- + include/net/bond_3ad.h | 2 +- + 2 files changed, 26 insertions(+), 6 deletions(-) + +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -225,7 +225,7 @@ static inline int __check_agg_selection_ + if (bond == NULL) + return 0; + +- return BOND_AD_INFO(bond).agg_select_timer ? 1 : 0; ++ return atomic_read(&BOND_AD_INFO(bond).agg_select_timer) ? 1 : 0; + } + + /** +@@ -1995,7 +1995,7 @@ static void ad_marker_response_received( + */ + void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout) + { +- BOND_AD_INFO(bond).agg_select_timer = timeout; ++ atomic_set(&BOND_AD_INFO(bond).agg_select_timer, timeout); + } + + /** +@@ -2279,6 +2279,28 @@ void bond_3ad_update_ad_actor_settings(s + } + + /** ++ * bond_agg_timer_advance - advance agg_select_timer ++ * @bond: bonding structure ++ * ++ * Return true when agg_select_timer reaches 0. ++ */ ++static bool bond_agg_timer_advance(struct bonding *bond) ++{ ++ int val, nval; ++ ++ while (1) { ++ val = atomic_read(&BOND_AD_INFO(bond).agg_select_timer); ++ if (!val) ++ return false; ++ nval = val - 1; ++ if (atomic_cmpxchg(&BOND_AD_INFO(bond).agg_select_timer, ++ val, nval) == val) ++ break; ++ } ++ return nval == 0; ++} ++ ++/** + * bond_3ad_state_machine_handler - handle state machines timeout + * @work: work context to fetch bonding struct to work on from + * +@@ -2313,9 +2335,7 @@ void bond_3ad_state_machine_handler(stru + if (!bond_has_slaves(bond)) + goto re_arm; + +- /* check if agg_select_timer timer after initialize is timed out */ +- if (BOND_AD_INFO(bond).agg_select_timer && +- !(--BOND_AD_INFO(bond).agg_select_timer)) { ++ if (bond_agg_timer_advance(bond)) { + slave = bond_first_slave_rcu(bond); + port = slave ? &(SLAVE_AD_INFO(slave)->port) : NULL; + +--- a/include/net/bond_3ad.h ++++ b/include/net/bond_3ad.h +@@ -262,7 +262,7 @@ struct ad_system { + struct ad_bond_info { + struct ad_system system; /* 802.3ad system structure */ + struct bond_3ad_stats stats; +- u32 agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ ++ atomic_t agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ + u16 aggregator_identifier; + }; + diff --git a/queue-5.15/bonding-force-carrier-update-when-releasing-slave.patch b/queue-5.15/bonding-force-carrier-update-when-releasing-slave.patch new file mode 100644 index 00000000000..bf6657b5d0a --- /dev/null +++ b/queue-5.15/bonding-force-carrier-update-when-releasing-slave.patch @@ -0,0 +1,49 @@ +From a6ab75cec1e461f8a35559054c146c21428430b8 Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Wed, 16 Feb 2022 22:18:08 +0800 +Subject: bonding: force carrier update when releasing slave + +From: Zhang Changzhong + +commit a6ab75cec1e461f8a35559054c146c21428430b8 upstream. + +In __bond_release_one(), bond_set_carrier() is only called when bond +device has no slave. Therefore, if we remove the up slave from a master +with two slaves and keep the down slave, the master will remain up. + +Fix this by moving bond_set_carrier() out of if (!bond_has_slaves(bond)) +statement. + +Reproducer: +$ insmod bonding.ko mode=0 miimon=100 max_bonds=2 +$ ifconfig bond0 up +$ ifenslave bond0 eth0 eth1 +$ ifconfig eth0 down +$ ifenslave -d bond0 eth1 +$ cat /proc/net/bonding/bond0 + +Fixes: ff59c4563a8d ("[PATCH] bonding: support carrier state for master") +Signed-off-by: Zhang Changzhong +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/1645021088-38370-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2377,10 +2377,9 @@ static int __bond_release_one(struct net + bond_select_active_slave(bond); + } + +- if (!bond_has_slaves(bond)) { +- bond_set_carrier(bond); ++ bond_set_carrier(bond); ++ if (!bond_has_slaves(bond)) + eth_hw_addr_random(bond_dev); +- } + + unblock_netpoll_tx(); + synchronize_rcu(); diff --git a/queue-5.15/brcmfmac-firmware-fix-crash-in-brcm_alt_fw_path.patch b/queue-5.15/brcmfmac-firmware-fix-crash-in-brcm_alt_fw_path.patch new file mode 100644 index 00000000000..ac3fa8fdd61 --- /dev/null +++ b/queue-5.15/brcmfmac-firmware-fix-crash-in-brcm_alt_fw_path.patch @@ -0,0 +1,49 @@ +From 665408f4c3a5c83e712871daa062721624b2b79e Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Tue, 18 Jan 2022 15:45:14 +0000 +Subject: brcmfmac: firmware: Fix crash in brcm_alt_fw_path + +From: Phil Elwell + +commit 665408f4c3a5c83e712871daa062721624b2b79e upstream. + +The call to brcm_alt_fw_path in brcmf_fw_get_firmwares is not protected +by a check to the validity of the fwctx->req->board_type pointer. This +results in a crash in strlcat when, for example, the WLAN chip is found +in a USB dongle. + +Prevent the crash by adding the necessary check. + +See: https://github.com/raspberrypi/linux/issues/4833 + +Fixes: 5ff013914c62 ("brcmfmac: firmware: Allow per-board firmware binaries") +Signed-off-by: Phil Elwell +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220118154514.3245524-1-phil@raspberrypi.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +@@ -693,7 +693,7 @@ int brcmf_fw_get_firmwares(struct device + { + struct brcmf_fw_item *first = &req->items[0]; + struct brcmf_fw *fwctx; +- char *alt_path; ++ char *alt_path = NULL; + int ret; + + brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev)); +@@ -712,7 +712,9 @@ int brcmf_fw_get_firmwares(struct device + fwctx->done = fw_cb; + + /* First try alternative board-specific path if any */ +- alt_path = brcm_alt_fw_path(first->path, fwctx->req->board_type); ++ if (fwctx->req->board_type) ++ alt_path = brcm_alt_fw_path(first->path, ++ fwctx->req->board_type); + if (alt_path) { + ret = request_firmware_nowait(THIS_MODULE, true, alt_path, + fwctx->dev, GFP_KERNEL, fwctx, diff --git a/queue-5.15/cfg80211-fix-race-in-netlink-owner-interface-destruction.patch b/queue-5.15/cfg80211-fix-race-in-netlink-owner-interface-destruction.patch new file mode 100644 index 00000000000..e3e7ff621e2 --- /dev/null +++ b/queue-5.15/cfg80211-fix-race-in-netlink-owner-interface-destruction.patch @@ -0,0 +1,81 @@ +From f0a6fd1527067da537e9c48390237488719948ed Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 1 Feb 2022 14:09:51 +0100 +Subject: cfg80211: fix race in netlink owner interface destruction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Berg + +commit f0a6fd1527067da537e9c48390237488719948ed upstream. + +My previous fix here to fix the deadlock left a race where +the exact same deadlock (see the original commit referenced +below) can still happen if cfg80211_destroy_ifaces() already +runs while nl80211_netlink_notify() is still marking some +interfaces as nl_owner_dead. + +The race happens because we have two loops here - first we +dev_close() all the netdevs, and then we destroy them. If we +also have two netdevs (first one need only be a wdev though) +then we can find one during the first iteration, close it, +and go to the second iteration -- but then find two, and try +to destroy also the one we didn't close yet. + +Fix this by only iterating once. + +Reported-by: Toke Høiland-Jørgensen +Fixes: ea6b2098dd02 ("cfg80211: fix locking in netlink owner interface destruction") +Tested-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20220201130951.22093-1-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -5,7 +5,7 @@ + * Copyright 2006-2010 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright 2015-2017 Intel Deutschland GmbH +- * Copyright (C) 2018-2021 Intel Corporation ++ * Copyright (C) 2018-2022 Intel Corporation + */ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +@@ -332,29 +332,20 @@ static void cfg80211_event_work(struct w + void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev) + { + struct wireless_dev *wdev, *tmp; +- bool found = false; + + ASSERT_RTNL(); + +- list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) { ++ list_for_each_entry_safe(wdev, tmp, &rdev->wiphy.wdev_list, list) { + if (wdev->nl_owner_dead) { + if (wdev->netdev) + dev_close(wdev->netdev); +- found = true; +- } +- } +- +- if (!found) +- return; + +- wiphy_lock(&rdev->wiphy); +- list_for_each_entry_safe(wdev, tmp, &rdev->wiphy.wdev_list, list) { +- if (wdev->nl_owner_dead) { ++ wiphy_lock(&rdev->wiphy); + cfg80211_leave(rdev, wdev); + rdev_del_virtual_intf(rdev, wdev); ++ wiphy_unlock(&rdev->wiphy); + } + } +- wiphy_unlock(&rdev->wiphy); + } + + static void cfg80211_destroy_iface_wk(struct work_struct *work) diff --git a/queue-5.15/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch b/queue-5.15/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch new file mode 100644 index 00000000000..200244e0c53 --- /dev/null +++ b/queue-5.15/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch @@ -0,0 +1,37 @@ +From 07dd44852be89386ab12210df90a2d78779f3bff Mon Sep 17 00:00:00 2001 +From: Radu Bulie +Date: Mon, 14 Feb 2022 19:45:34 +0200 +Subject: dpaa2-eth: Initialize mutex used in one step timestamping path + +From: Radu Bulie + +commit 07dd44852be89386ab12210df90a2d78779f3bff upstream. + +1588 Single Step Timestamping code path uses a mutex to +enforce atomicity for two events: +- update of ptp single step register +- transmit ptp event packet + +Before this patch the mutex was not initialized. This +caused unexpected crashes in the Tx function. + +Fixes: c55211892f463 ("dpaa2-eth: support PTP Sync packet one-step timestamping") +Signed-off-by: Radu Bulie +Reviewed-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4329,7 +4329,7 @@ static int dpaa2_eth_probe(struct fsl_mc + } + + INIT_WORK(&priv->tx_onestep_tstamp, dpaa2_eth_tx_onestep_tstamp); +- ++ mutex_init(&priv->onestep_tstamp_lock); + skb_queue_head_init(&priv->tx_skbs); + + priv->rx_copybreak = DPAA2_ETH_DEFAULT_COPYBREAK; diff --git a/queue-5.15/dpaa2-switch-fix-default-return-of-dpaa2_switch_flower_parse_mirror_key.patch b/queue-5.15/dpaa2-switch-fix-default-return-of-dpaa2_switch_flower_parse_mirror_key.patch new file mode 100644 index 00000000000..d8143656f81 --- /dev/null +++ b/queue-5.15/dpaa2-switch-fix-default-return-of-dpaa2_switch_flower_parse_mirror_key.patch @@ -0,0 +1,49 @@ +From 2a36ed7c1cd55742503bed81d2cc0ea83bd0ad0c Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Mon, 14 Feb 2022 07:41:39 -0800 +Subject: dpaa2-switch: fix default return of dpaa2_switch_flower_parse_mirror_key + +From: Tom Rix + +commit 2a36ed7c1cd55742503bed81d2cc0ea83bd0ad0c upstream. + +Clang static analysis reports this representative problem +dpaa2-switch-flower.c:616:24: warning: The right operand of '==' + is a garbage value + tmp->cfg.vlan_id == vlan) { + ^ ~~~~ +vlan is set in dpaa2_switch_flower_parse_mirror_key(). However +this function can return success without setting vlan. So +change the default return to -EOPNOTSUPP. + +Fixes: 0f3faece5808 ("dpaa2-switch: add VLAN based mirroring") +Signed-off-by: Tom Rix +Reviewed-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c +@@ -532,6 +532,7 @@ static int dpaa2_switch_flower_parse_mir + struct flow_rule *rule = flow_cls_offload_flow_rule(cls); + struct flow_dissector *dissector = rule->match.dissector; + struct netlink_ext_ack *extack = cls->common.extack; ++ int ret = -EOPNOTSUPP; + + if (dissector->used_keys & + ~(BIT(FLOW_DISSECTOR_KEY_BASIC) | +@@ -561,9 +562,10 @@ static int dpaa2_switch_flower_parse_mir + } + + *vlan = (u16)match.key->vlan_id; ++ ret = 0; + } + +- return 0; ++ return ret; + } + + static int diff --git a/queue-5.15/drm-cma-helper-set-vm_dontexpand-for-mmap.patch b/queue-5.15/drm-cma-helper-set-vm_dontexpand-for-mmap.patch new file mode 100644 index 00000000000..bccbf6d7e80 --- /dev/null +++ b/queue-5.15/drm-cma-helper-set-vm_dontexpand-for-mmap.patch @@ -0,0 +1,43 @@ +From 59f39bfa6553d598cb22f694d45e89547f420d85 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Wed, 13 Oct 2021 10:36:54 -0400 +Subject: drm/cma-helper: Set VM_DONTEXPAND for mmap + +From: Robin Murphy + +commit 59f39bfa6553d598cb22f694d45e89547f420d85 upstream. + +drm_gem_cma_mmap() cannot assume every implementation of dma_mmap_wc() +will end up calling remap_pfn_range() (which happens to set the relevant +vma flag, among others), so in order to make sure expectations around +VM_DONTEXPAND are met, let it explicitly set the flag like most other +GEM mmap implementations do. + +This avoids repeated warnings on a small minority of systems where the +display is behind an IOMMU, and has a simple driver which does not +override drm_gem_cma_default_funcs. Arm hdlcd is an in-tree affected +driver. Out-of-tree, the Apple DCP driver is affected; this fix is +required for DCP to be mainlined. + +[Alyssa: Update commit message.] + +Fixes: c40069cb7bd6 ("drm: add mmap() to drm_gem_object_funcs") +Acked-by: Daniel Vetter +Signed-off-by: Robin Murphy +Signed-off-by: Alyssa Rosenzweig +Link: https://patchwork.freedesktop.org/patch/msgid/20211013143654.39031-1-alyssa@rosenzweig.io +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_cma_helper.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_gem_cma_helper.c ++++ b/drivers/gpu/drm/drm_gem_cma_helper.c +@@ -515,6 +515,7 @@ int drm_gem_cma_mmap(struct drm_gem_obje + */ + vma->vm_pgoff -= drm_vma_node_start(&obj->vma_node); + vma->vm_flags &= ~VM_PFNMAP; ++ vma->vm_flags |= VM_DONTEXPAND; + + cma_obj = to_drm_gem_cma_obj(obj); + diff --git a/queue-5.15/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch b/queue-5.15/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch new file mode 100644 index 00000000000..f73f663ae69 --- /dev/null +++ b/queue-5.15/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch @@ -0,0 +1,33 @@ +From d72d69abfdb6e0375981cfdda8eb45143f12c77d Mon Sep 17 00:00:00 2001 +From: Siva Mullati +Date: Fri, 7 Jan 2022 15:22:35 +0530 +Subject: drm/i915/gvt: Make DRM_I915_GVT depend on X86 + +From: Siva Mullati + +commit d72d69abfdb6e0375981cfdda8eb45143f12c77d upstream. + +GVT is not supported on non-x86 platforms, So add +dependency of X86 on config parameter DRM_I915_GVT. + +Fixes: 0ad35fed618c ("drm/i915: gvt: Introduce the basic architecture of GVT-g") +Signed-off-by: Siva Mullati +Signed-off-by: Zhi Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20220107095235.243448-1-siva.mullati@intel.com +Reviewed-by: Zhi Wang +Signed-off-by: Zhi Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/Kconfig ++++ b/drivers/gpu/drm/i915/Kconfig +@@ -101,6 +101,7 @@ config DRM_I915_USERPTR + config DRM_I915_GVT + bool "Enable Intel GVT-g graphics virtualization host support" + depends on DRM_I915 ++ depends on X86 + depends on 64BIT + default n + help diff --git a/queue-5.15/drm-i915-ttm-tweak-priority-hint-selection.patch b/queue-5.15/drm-i915-ttm-tweak-priority-hint-selection.patch new file mode 100644 index 00000000000..27656db4340 --- /dev/null +++ b/queue-5.15/drm-i915-ttm-tweak-priority-hint-selection.patch @@ -0,0 +1,46 @@ +From 0bdc0a0699929c814a8aecd55d2accb8c11beae2 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Wed, 9 Feb 2022 11:16:52 +0000 +Subject: drm/i915/ttm: tweak priority hint selection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit 0bdc0a0699929c814a8aecd55d2accb8c11beae2 upstream. + +For some reason we are selecting PRIO_HAS_PAGES when we don't have +mm.pages, and vice versa. + +v2(Thomas): + - Add missing fixes tag + +Fixes: 213d50927763 ("drm/i915/ttm: Introduce a TTM i915 gem object backend") +Signed-off-by: Matthew Auld +Cc: Thomas Hellström +Reviewed-by: Thomas Hellström +Link: https://patchwork.freedesktop.org/patch/msgid/20220209111652.468762-1-matthew.auld@intel.com +(cherry picked from commit ba2c5d15022a565da187d90e2fe44768e33e5034) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +@@ -759,11 +759,9 @@ static void i915_ttm_adjust_lru(struct d + if (obj->mm.madv != I915_MADV_WILLNEED) { + bo->priority = I915_TTM_PRIO_PURGE; + } else if (!i915_gem_object_has_pages(obj)) { +- if (bo->priority < I915_TTM_PRIO_HAS_PAGES) +- bo->priority = I915_TTM_PRIO_HAS_PAGES; ++ bo->priority = I915_TTM_PRIO_NO_PAGES; + } else { +- if (bo->priority > I915_TTM_PRIO_NO_PAGES) +- bo->priority = I915_TTM_PRIO_NO_PAGES; ++ bo->priority = I915_TTM_PRIO_HAS_PAGES; + } + + ttm_bo_move_to_lru_tail(bo, bo->resource, NULL); diff --git a/queue-5.15/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch b/queue-5.15/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch new file mode 100644 index 00000000000..cd2d0d39e50 --- /dev/null +++ b/queue-5.15/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch @@ -0,0 +1,103 @@ +From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 10 Feb 2022 09:13:31 -0800 +Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit + +From: Eric Dumazet + +commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream. + +trace_napi_poll_hit() is reading stat->dev while another thread can write +on it from dropmon_net_event() + +Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already, +we only have to take care of load/store tearing. + +BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit + +write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1: + dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579 + notifier_call_chain kernel/notifier.c:84 [inline] + raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392 + call_netdevice_notifiers_info net/core/dev.c:1919 [inline] + call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] + call_netdevice_notifiers net/core/dev.c:1945 [inline] + unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415 + ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123 + vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515 + ops_exit_list net/core/net_namespace.c:173 [inline] + cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0: + trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292 + trace_napi_poll include/trace/events/napi.h:14 [inline] + __napi_poll+0x36b/0x3f0 net/core/dev.c:6366 + napi_poll net/core/dev.c:6432 [inline] + net_rx_action+0x29e/0x650 net/core/dev.c:6519 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + do_softirq+0xb1/0xf0 kernel/softirq.c:459 + __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] + _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:394 [inline] + ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] + wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +value changed: 0xffff88815883e000 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker + +Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -280,13 +280,17 @@ static void trace_napi_poll_hit(void *ig + + rcu_read_lock(); + list_for_each_entry_rcu(new_stat, &hw_stats_list, list) { ++ struct net_device *dev; ++ + /* + * only add a note to our monitor buffer if: + * 1) this is the dev we received on + * 2) its after the last_rx delta + * 3) our rx_dropped count has gone up + */ +- if ((new_stat->dev == napi->dev) && ++ /* Paired with WRITE_ONCE() in dropmon_net_event() */ ++ dev = READ_ONCE(new_stat->dev); ++ if ((dev == napi->dev) && + (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) && + (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) { + trace_drop_common(NULL, NULL); +@@ -1572,7 +1576,10 @@ static int dropmon_net_event(struct noti + mutex_lock(&net_dm_mutex); + list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) { + if (new_stat->dev == dev) { +- new_stat->dev = NULL; ++ ++ /* Paired with READ_ONCE() in trace_napi_poll_hit() */ ++ WRITE_ONCE(new_stat->dev, NULL); ++ + if (trace_state == TRACE_OFF) { + list_del_rcu(&new_stat->list); + kfree_rcu(new_stat, rcu); diff --git a/queue-5.15/ipv4-fix-data-races-in-fib_alias_hw_flags_set.patch b/queue-5.15/ipv4-fix-data-races-in-fib_alias_hw_flags_set.patch new file mode 100644 index 00000000000..9b9cbe1dd8e --- /dev/null +++ b/queue-5.15/ipv4-fix-data-races-in-fib_alias_hw_flags_set.patch @@ -0,0 +1,159 @@ +From 9fcf986cc4bc6a3a39f23fbcbbc3a9e52d3c24fd Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 16 Feb 2022 09:32:16 -0800 +Subject: ipv4: fix data races in fib_alias_hw_flags_set + +From: Eric Dumazet + +commit 9fcf986cc4bc6a3a39f23fbcbbc3a9e52d3c24fd upstream. + +fib_alias_hw_flags_set() can be used by concurrent threads, +and is only RCU protected. + +We need to annotate accesses to following fields of struct fib_alias: + + offload, trap, offload_failed + +Because of READ_ONCE()WRITE_ONCE() limitations, make these +field u8. + +BUG: KCSAN: data-race in fib_alias_hw_flags_set / fib_alias_hw_flags_set + +read to 0xffff888134224a6a of 1 bytes by task 2013 on cpu 1: + fib_alias_hw_flags_set+0x28a/0x470 net/ipv4/fib_trie.c:1050 + nsim_fib4_rt_hw_flags_set drivers/net/netdevsim/fib.c:350 [inline] + nsim_fib4_rt_add drivers/net/netdevsim/fib.c:367 [inline] + nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:429 [inline] + nsim_fib4_event drivers/net/netdevsim/fib.c:461 [inline] + nsim_fib_event drivers/net/netdevsim/fib.c:881 [inline] + nsim_fib_event_work+0x1852/0x2cf0 drivers/net/netdevsim/fib.c:1477 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + process_scheduled_works kernel/workqueue.c:2370 [inline] + worker_thread+0x7df/0xa70 kernel/workqueue.c:2456 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +write to 0xffff888134224a6a of 1 bytes by task 4872 on cpu 0: + fib_alias_hw_flags_set+0x2d5/0x470 net/ipv4/fib_trie.c:1054 + nsim_fib4_rt_hw_flags_set drivers/net/netdevsim/fib.c:350 [inline] + nsim_fib4_rt_add drivers/net/netdevsim/fib.c:367 [inline] + nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:429 [inline] + nsim_fib4_event drivers/net/netdevsim/fib.c:461 [inline] + nsim_fib_event drivers/net/netdevsim/fib.c:881 [inline] + nsim_fib_event_work+0x1852/0x2cf0 drivers/net/netdevsim/fib.c:1477 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + process_scheduled_works kernel/workqueue.c:2370 [inline] + worker_thread+0x7df/0xa70 kernel/workqueue.c:2456 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +value changed: 0x00 -> 0x02 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 4872 Comm: kworker/0:0 Not tainted 5.17.0-rc3-syzkaller-00188-g1d41d2e82623-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events nsim_fib_event_work + +Fixes: 90b93f1b31f8 ("ipv4: Add "offload" and "trap" indications to routes") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/20220216173217.3792411-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_lookup.h | 7 +++---- + net/ipv4/fib_semantics.c | 6 +++--- + net/ipv4/fib_trie.c | 22 +++++++++++++--------- + net/ipv4/route.c | 4 ++-- + 4 files changed, 21 insertions(+), 18 deletions(-) + +--- a/net/ipv4/fib_lookup.h ++++ b/net/ipv4/fib_lookup.h +@@ -16,10 +16,9 @@ struct fib_alias { + u8 fa_slen; + u32 tb_id; + s16 fa_default; +- u8 offload:1, +- trap:1, +- offload_failed:1, +- unused:5; ++ u8 offload; ++ u8 trap; ++ u8 offload_failed; + struct rcu_head rcu; + }; + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -524,9 +524,9 @@ void rtmsg_fib(int event, __be32 key, st + fri.dst_len = dst_len; + fri.tos = fa->fa_tos; + fri.type = fa->fa_type; +- fri.offload = fa->offload; +- fri.trap = fa->trap; +- fri.offload_failed = fa->offload_failed; ++ fri.offload = READ_ONCE(fa->offload); ++ fri.trap = READ_ONCE(fa->trap); ++ fri.offload_failed = READ_ONCE(fa->offload_failed); + err = fib_dump_info(skb, info->portid, seq, event, &fri, nlm_flags); + if (err < 0) { + /* -EMSGSIZE implies BUG in fib_nlmsg_size() */ +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1047,19 +1047,23 @@ void fib_alias_hw_flags_set(struct net * + if (!fa_match) + goto out; + +- if (fa_match->offload == fri->offload && fa_match->trap == fri->trap && +- fa_match->offload_failed == fri->offload_failed) ++ /* These are paired with the WRITE_ONCE() happening in this function. ++ * The reason is that we are only protected by RCU at this point. ++ */ ++ if (READ_ONCE(fa_match->offload) == fri->offload && ++ READ_ONCE(fa_match->trap) == fri->trap && ++ READ_ONCE(fa_match->offload_failed) == fri->offload_failed) + goto out; + +- fa_match->offload = fri->offload; +- fa_match->trap = fri->trap; ++ WRITE_ONCE(fa_match->offload, fri->offload); ++ WRITE_ONCE(fa_match->trap, fri->trap); + + /* 2 means send notifications only if offload_failed was changed. */ + if (net->ipv4.sysctl_fib_notify_on_flag_change == 2 && +- fa_match->offload_failed == fri->offload_failed) ++ READ_ONCE(fa_match->offload_failed) == fri->offload_failed) + goto out; + +- fa_match->offload_failed = fri->offload_failed; ++ WRITE_ONCE(fa_match->offload_failed, fri->offload_failed); + + if (!net->ipv4.sysctl_fib_notify_on_flag_change) + goto out; +@@ -2297,9 +2301,9 @@ static int fn_trie_dump_leaf(struct key_ + fri.dst_len = KEYLENGTH - fa->fa_slen; + fri.tos = fa->fa_tos; + fri.type = fa->fa_type; +- fri.offload = fa->offload; +- fri.trap = fa->trap; +- fri.offload_failed = fa->offload_failed; ++ fri.offload = READ_ONCE(fa->offload); ++ fri.trap = READ_ONCE(fa->trap); ++ fri.offload_failed = READ_ONCE(fa->offload_failed); + err = fib_dump_info(skb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -3401,8 +3401,8 @@ static int inet_rtm_getroute(struct sk_b + fa->fa_tos == fri.tos && + fa->fa_info == res.fi && + fa->fa_type == fri.type) { +- fri.offload = fa->offload; +- fri.trap = fa->trap; ++ fri.offload = READ_ONCE(fa->offload); ++ fri.trap = READ_ONCE(fa->trap); + break; + } + } diff --git a/queue-5.15/ipv6-fix-data-race-in-fib6_info_hw_flags_set-fib6_purge_rt.patch b/queue-5.15/ipv6-fix-data-race-in-fib6_info_hw_flags_set-fib6_purge_rt.patch new file mode 100644 index 00000000000..9cc706b3611 --- /dev/null +++ b/queue-5.15/ipv6-fix-data-race-in-fib6_info_hw_flags_set-fib6_purge_rt.patch @@ -0,0 +1,161 @@ +From d95d6320ba7a51d61c097ffc3bcafcf70283414e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 16 Feb 2022 09:32:17 -0800 +Subject: ipv6: fix data-race in fib6_info_hw_flags_set / fib6_purge_rt + +From: Eric Dumazet + +commit d95d6320ba7a51d61c097ffc3bcafcf70283414e upstream. + +Because fib6_info_hw_flags_set() is called without any synchronization, +all accesses to gi6->offload, fi->trap and fi->offload_failed +need some basic protection like READ_ONCE()/WRITE_ONCE(). + +BUG: KCSAN: data-race in fib6_info_hw_flags_set / fib6_purge_rt + +read to 0xffff8881087d5886 of 1 bytes by task 13953 on cpu 0: + fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1007 [inline] + fib6_purge_rt+0x4f/0x580 net/ipv6/ip6_fib.c:1033 + fib6_del_route net/ipv6/ip6_fib.c:1983 [inline] + fib6_del+0x696/0x890 net/ipv6/ip6_fib.c:2028 + __ip6_del_rt net/ipv6/route.c:3876 [inline] + ip6_del_rt+0x83/0x140 net/ipv6/route.c:3891 + __ipv6_dev_ac_dec+0x2b5/0x370 net/ipv6/anycast.c:374 + ipv6_dev_ac_dec net/ipv6/anycast.c:387 [inline] + __ipv6_sock_ac_close+0x141/0x200 net/ipv6/anycast.c:207 + ipv6_sock_ac_close+0x79/0x90 net/ipv6/anycast.c:220 + inet6_release+0x32/0x50 net/ipv6/af_inet6.c:476 + __sock_release net/socket.c:650 [inline] + sock_close+0x6c/0x150 net/socket.c:1318 + __fput+0x295/0x520 fs/file_table.c:280 + ____fput+0x11/0x20 fs/file_table.c:313 + task_work_run+0x8e/0x110 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:175 [inline] + exit_to_user_mode_prepare+0x160/0x190 kernel/entry/common.c:207 + __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:300 + do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +write to 0xffff8881087d5886 of 1 bytes by task 1912 on cpu 1: + fib6_info_hw_flags_set+0x155/0x3b0 net/ipv6/route.c:6230 + nsim_fib6_rt_hw_flags_set drivers/net/netdevsim/fib.c:668 [inline] + nsim_fib6_rt_add drivers/net/netdevsim/fib.c:691 [inline] + nsim_fib6_rt_insert drivers/net/netdevsim/fib.c:756 [inline] + nsim_fib6_event drivers/net/netdevsim/fib.c:853 [inline] + nsim_fib_event drivers/net/netdevsim/fib.c:886 [inline] + nsim_fib_event_work+0x284f/0x2cf0 drivers/net/netdevsim/fib.c:1477 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x2c7/0x2e0 kernel/kthread.c:327 + ret_from_fork+0x1f/0x30 + +value changed: 0x22 -> 0x2a + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 1912 Comm: kworker/1:3 Not tainted 5.16.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events nsim_fib_event_work + +Fixes: 0c5fcf9e249e ("IPv6: Add "offload failed" indication to routes") +Fixes: bb3c4ab93e44 ("ipv6: Add "offload" and "trap" indications to routes") +Signed-off-by: Eric Dumazet +Cc: Amit Cohen +Cc: Ido Schimmel +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220216173217.3792411-2-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/netdevsim/fib.c | 4 ++-- + include/net/ip6_fib.h | 10 ++++++---- + net/ipv6/route.c | 19 ++++++++++--------- + 3 files changed, 18 insertions(+), 15 deletions(-) + +--- a/drivers/net/netdevsim/fib.c ++++ b/drivers/net/netdevsim/fib.c +@@ -623,14 +623,14 @@ static int nsim_fib6_rt_append(struct ns + if (err) + goto err_fib6_rt_nh_del; + +- fib6_event->rt_arr[i]->trap = true; ++ WRITE_ONCE(fib6_event->rt_arr[i]->trap, true); + } + + return 0; + + err_fib6_rt_nh_del: + for (i--; i >= 0; i--) { +- fib6_event->rt_arr[i]->trap = false; ++ WRITE_ONCE(fib6_event->rt_arr[i]->trap, false); + nsim_fib6_rt_nh_del(fib6_rt, fib6_event->rt_arr[i]); + } + return err; +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -189,14 +189,16 @@ struct fib6_info { + u32 fib6_metric; + u8 fib6_protocol; + u8 fib6_type; ++ ++ u8 offload; ++ u8 trap; ++ u8 offload_failed; ++ + u8 should_flush:1, + dst_nocount:1, + dst_nopolicy:1, + fib6_destroying:1, +- offload:1, +- trap:1, +- offload_failed:1, +- unused:1; ++ unused:4; + + struct rcu_head rcu; + struct nexthop *nh; +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5767,11 +5767,11 @@ static int rt6_fill_node(struct net *net + } + + if (!dst) { +- if (rt->offload) ++ if (READ_ONCE(rt->offload)) + rtm->rtm_flags |= RTM_F_OFFLOAD; +- if (rt->trap) ++ if (READ_ONCE(rt->trap)) + rtm->rtm_flags |= RTM_F_TRAP; +- if (rt->offload_failed) ++ if (READ_ONCE(rt->offload_failed)) + rtm->rtm_flags |= RTM_F_OFFLOAD_FAILED; + } + +@@ -6229,19 +6229,20 @@ void fib6_info_hw_flags_set(struct net * + struct sk_buff *skb; + int err; + +- if (f6i->offload == offload && f6i->trap == trap && +- f6i->offload_failed == offload_failed) ++ if (READ_ONCE(f6i->offload) == offload && ++ READ_ONCE(f6i->trap) == trap && ++ READ_ONCE(f6i->offload_failed) == offload_failed) + return; + +- f6i->offload = offload; +- f6i->trap = trap; ++ WRITE_ONCE(f6i->offload, offload); ++ WRITE_ONCE(f6i->trap, trap); + + /* 2 means send notifications only if offload_failed was changed. */ + if (net->ipv6.sysctl.fib_notify_on_flag_change == 2 && +- f6i->offload_failed == offload_failed) ++ READ_ONCE(f6i->offload_failed) == offload_failed) + return; + +- f6i->offload_failed = offload_failed; ++ WRITE_ONCE(f6i->offload_failed, offload_failed); + + if (!rcu_access_pointer(f6i->fib6_node)) + /* The route was removed from the tree, do not send diff --git a/queue-5.15/ipv6-mcast-use-rcu-safe-version-of-ipv6_get_lladdr.patch b/queue-5.15/ipv6-mcast-use-rcu-safe-version-of-ipv6_get_lladdr.patch new file mode 100644 index 00000000000..63bdebea674 --- /dev/null +++ b/queue-5.15/ipv6-mcast-use-rcu-safe-version-of-ipv6_get_lladdr.patch @@ -0,0 +1,97 @@ +From 26394fc118d6115390bd5b3a0fb17096271da227 Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin +Date: Fri, 11 Feb 2022 17:30:42 +0000 +Subject: ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() + +From: Ignat Korchagin + +commit 26394fc118d6115390bd5b3a0fb17096271da227 upstream. + +Some time ago 8965779d2c0e ("ipv6,mcast: always hold idev->lock before mca_lock") +switched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe +version. That was OK, because idev->lock was held for these codepaths. + +In 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") these external locks were +removed, so we probably need to restore the original rcu-safe call. + +Otherwise, we occasionally get a machine crashed/stalled with the following +in dmesg: + +[ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI +[ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1 +[ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV +[ 3406.009552][T230589] Workqueue: mld mld_ifc_work +[ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60 +[ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b +[ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202 +[ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040 +[ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008 +[ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000 +[ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100 +[ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000 +[ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000 +[ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0 +[ 3406.162421][T230589] Call Trace: +[ 3406.170235][T230589] +[ 3406.177736][T230589] mld_newpack+0xfe/0x1a0 +[ 3406.186686][T230589] add_grhead+0x87/0xa0 +[ 3406.195498][T230589] add_grec+0x485/0x4e0 +[ 3406.204310][T230589] ? newidle_balance+0x126/0x3f0 +[ 3406.214024][T230589] mld_ifc_work+0x15d/0x450 +[ 3406.223279][T230589] process_one_work+0x1e6/0x380 +[ 3406.232982][T230589] worker_thread+0x50/0x3a0 +[ 3406.242371][T230589] ? rescuer_thread+0x360/0x360 +[ 3406.252175][T230589] kthread+0x127/0x150 +[ 3406.261197][T230589] ? set_kthread_struct+0x40/0x40 +[ 3406.271287][T230589] ret_from_fork+0x22/0x30 +[ 3406.280812][T230589] +[ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders] +[ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]--- + +Fixes: 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") +Reported-by: David Pinilla Caparros +Signed-off-by: Ignat Korchagin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/addrconf.h | 2 -- + net/ipv6/addrconf.c | 4 ++-- + net/ipv6/mcast.c | 2 +- + 3 files changed, 3 insertions(+), 5 deletions(-) + +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -109,8 +109,6 @@ struct inet6_ifaddr *ipv6_get_ifaddr(str + int ipv6_dev_get_saddr(struct net *net, const struct net_device *dev, + const struct in6_addr *daddr, unsigned int srcprefs, + struct in6_addr *saddr); +-int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr, +- u32 banned_flags); + int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr, + u32 banned_flags); + bool inet_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2, +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1837,8 +1837,8 @@ out: + } + EXPORT_SYMBOL(ipv6_dev_get_saddr); + +-int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr, +- u32 banned_flags) ++static int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr, ++ u32 banned_flags) + { + struct inet6_ifaddr *ifp; + int err = -EADDRNOTAVAIL; +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1759,7 +1759,7 @@ static struct sk_buff *mld_newpack(struc + skb_reserve(skb, hlen); + skb_tailroom_reserve(skb, mtu, tlen); + +- if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) { ++ if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) { + /* : + * use unspecified address as the source address + * when a valid link-local address is not available. diff --git a/queue-5.15/ipv6-per-netns-exclusive-flowlabel-checks.patch b/queue-5.15/ipv6-per-netns-exclusive-flowlabel-checks.patch new file mode 100644 index 00000000000..15ee45c561e --- /dev/null +++ b/queue-5.15/ipv6-per-netns-exclusive-flowlabel-checks.patch @@ -0,0 +1,98 @@ +From 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 15 Feb 2022 11:00:37 -0500 +Subject: ipv6: per-netns exclusive flowlabel checks + +From: Willem de Bruijn + +commit 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b upstream. + +Ipv6 flowlabels historically require a reservation before use. +Optionally in exclusive mode (e.g., user-private). + +Commit 59c820b2317f ("ipv6: elide flowlabel check if no exclusive +leases exist") introduced a fastpath that avoids this check when no +exclusive leases exist in the system, and thus any flowlabel use +will be granted. + +That allows skipping the control operation to reserve a flowlabel +entirely. Though with a warning if the fast path fails: + + This is an optimization. Robust applications still have to revert to + requesting leases if the fast path fails due to an exclusive lease. + +Still, this is subtle. Better isolate network namespaces from each +other. Flowlabels are per-netns. Also record per-netns whether +exclusive leases are in use. Then behavior does not change based on +activity in other netns. + +Changes + v2 + - wrap in IS_ENABLED(CONFIG_IPV6) to avoid breakage if disabled + +Fixes: 59c820b2317f ("ipv6: elide flowlabel check if no exclusive leases exist") +Link: https://lore.kernel.org/netdev/MWHPR2201MB1072BCCCFCE779E4094837ACD0329@MWHPR2201MB1072.namprd22.prod.outlook.com/ +Reported-by: Congyu Liu +Signed-off-by: Willem de Bruijn +Tested-by: Congyu Liu +Link: https://lore.kernel.org/r/20220215160037.1976072-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ipv6.h | 5 ++++- + include/net/netns/ipv6.h | 3 ++- + net/ipv6/ip6_flowlabel.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -391,17 +391,20 @@ static inline void txopt_put(struct ipv6 + kfree_rcu(opt, rcu); + } + ++#if IS_ENABLED(CONFIG_IPV6) + struct ip6_flowlabel *__fl6_sock_lookup(struct sock *sk, __be32 label); + + extern struct static_key_false_deferred ipv6_flowlabel_exclusive; + static inline struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, + __be32 label) + { +- if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key)) ++ if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key) && ++ READ_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl)) + return __fl6_sock_lookup(sk, label) ? : ERR_PTR(-ENOENT); + + return NULL; + } ++#endif + + struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, + struct ip6_flowlabel *fl, +--- a/include/net/netns/ipv6.h ++++ b/include/net/netns/ipv6.h +@@ -77,9 +77,10 @@ struct netns_ipv6 { + spinlock_t fib6_gc_lock; + unsigned int ip6_rt_gc_expire; + unsigned long ip6_rt_last_gc; ++ unsigned char flowlabel_has_excl; + #ifdef CONFIG_IPV6_MULTIPLE_TABLES +- unsigned int fib6_rules_require_fldissect; + bool fib6_has_custom_rules; ++ unsigned int fib6_rules_require_fldissect; + #ifdef CONFIG_IPV6_SUBTREES + unsigned int fib6_routes_require_src; + #endif +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -450,8 +450,10 @@ fl_create(struct net *net, struct sock * + err = -EINVAL; + goto done; + } +- if (fl_shared_exclusive(fl) || fl->opt) ++ if (fl_shared_exclusive(fl) || fl->opt) { ++ WRITE_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl, 1); + static_branch_deferred_inc(&ipv6_flowlabel_exclusive); ++ } + return fl; + + done: diff --git a/queue-5.15/iwlwifi-mvm-don-t-send-sar-geo-command-for-3160-devices.patch b/queue-5.15/iwlwifi-mvm-don-t-send-sar-geo-command-for-3160-devices.patch new file mode 100644 index 00000000000..dfa3fcc7081 --- /dev/null +++ b/queue-5.15/iwlwifi-mvm-don-t-send-sar-geo-command-for-3160-devices.patch @@ -0,0 +1,87 @@ +From 5f06f6bf8d816578c390a2b8a485d40adcca4749 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Fri, 28 Jan 2022 14:48:51 +0200 +Subject: iwlwifi: mvm: don't send SAR GEO command for 3160 devices + +From: Luca Coelho + +commit 5f06f6bf8d816578c390a2b8a485d40adcca4749 upstream. + +SAR GEO offsets are not supported on 3160 devices. The code was +refactored and caused us to start sending the command anyway, which +causes a FW assertion failure. Fix that only considering this feature +supported on FW API with major version is 17 if the device is not +3160. + +Additionally, fix the caller of iwl_mvm_sar_geo_init() so that it +checks for the return value, which it was ignoring. + +Reported-by: Len Brown +Signed-off-by: Luca Coelho +Fixes: 78a19d5285d9 ("iwlwifi: mvm: Read the PPAG and SAR tables at INIT stage") +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128144623.96f683a89b42.I14e2985bfd7ddd8a8d83eb1869b800c0e7f30db4@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 11 ++++++----- + drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 3 ++- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- + 3 files changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + /* + * Copyright (C) 2017 Intel Deutschland GmbH +- * Copyright (C) 2019-2021 Intel Corporation ++ * Copyright (C) 2019-2022 Intel Corporation + */ + #include + #include "iwl-drv.h" +@@ -814,10 +814,11 @@ bool iwl_sar_geo_support(struct iwl_fw_r + * only one using version 36, so skip this version entirely. + */ + return IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) >= 38 || +- IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 17 || +- (IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 29 && +- ((fwrt->trans->hw_rev & CSR_HW_REV_TYPE_MSK) == +- CSR_HW_REV_TYPE_7265D)); ++ (IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 17 && ++ fwrt->trans->hw_rev != CSR_HW_REV_TYPE_3160) || ++ (IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 29 && ++ ((fwrt->trans->hw_rev & CSR_HW_REV_TYPE_MSK) == ++ CSR_HW_REV_TYPE_7265D)); + } + IWL_EXPORT_SYMBOL(iwl_sar_geo_support); + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-csr.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-csr.h +@@ -1,6 +1,6 @@ + /* SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause */ + /* +- * Copyright (C) 2005-2014, 2018-2021 Intel Corporation ++ * Copyright (C) 2005-2014, 2018-2022 Intel Corporation + * Copyright (C) 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2016 Intel Deutschland GmbH + */ +@@ -319,6 +319,7 @@ enum { + #define CSR_HW_REV_TYPE_2x00 (0x0000100) + #define CSR_HW_REV_TYPE_105 (0x0000110) + #define CSR_HW_REV_TYPE_135 (0x0000120) ++#define CSR_HW_REV_TYPE_3160 (0x0000164) + #define CSR_HW_REV_TYPE_7265D (0x0000210) + #define CSR_HW_REV_TYPE_NONE (0x00001F0) + #define CSR_HW_REV_TYPE_QNJ (0x0000360) +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -1572,7 +1572,7 @@ int iwl_mvm_up(struct iwl_mvm *mvm) + ret = iwl_mvm_sar_init(mvm); + if (ret == 0) + ret = iwl_mvm_sar_geo_init(mvm); +- else if (ret < 0) ++ if (ret < 0) + goto error; + + iwl_mvm_tas_init(mvm); diff --git a/queue-5.15/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch b/queue-5.15/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..73313ecc9fa --- /dev/null +++ b/queue-5.15/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:52 +0200 +Subject: iwlwifi: pcie: fix locking when "HW not ready" + +From: Johannes Berg + +commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this. + +Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1273,8 +1273,7 @@ static int iwl_trans_pcie_start_fw(struc + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-5.15/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch b/queue-5.15/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..542b25f1cc1 --- /dev/null +++ b/queue-5.15/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:53 +0200 +Subject: iwlwifi: pcie: gen2: fix locking when "HW not ready" + +From: Johannes Berg + +commit 4c29c1e27a1e178a219b3877d055e6dd643bdfda upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this in the gen2 code as well. + +Fixes: eda50cde58de ("iwlwifi: pcie: add context information support") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +@@ -408,8 +408,7 @@ int iwl_trans_pcie_gen2_start_fw(struct + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-5.15/libsubcmd-fix-use-after-free-for-realloc-...-0.patch b/queue-5.15/libsubcmd-fix-use-after-free-for-realloc-...-0.patch new file mode 100644 index 00000000000..23bfaebab85 --- /dev/null +++ b/queue-5.15/libsubcmd-fix-use-after-free-for-realloc-...-0.patch @@ -0,0 +1,66 @@ +From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 13 Feb 2022 10:24:43 -0800 +Subject: libsubcmd: Fix use-after-free for realloc(..., 0) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream. + +GCC 12 correctly reports a potential use-after-free condition in the +xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)" +when size == 0: + +In file included from help.c:12: +In function 'xrealloc', + inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 56 | ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 58 | ret = realloc(ptr, 1); + | ^~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence") +Reported-by: Valdis Klētnieks +Signed-off-by: Kees Kook +Tested-by: Valdis Klētnieks +Tested-by: Justin M. Forbes +Acked-by: Josh Poimboeuf +Cc: linux-hardening@vger.kernel.org +Cc: Valdis Klētnieks +Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/subcmd/subcmd-util.h | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/tools/lib/subcmd/subcmd-util.h ++++ b/tools/lib/subcmd/subcmd-util.h +@@ -50,15 +50,8 @@ static NORETURN inline void die(const ch + static inline void *xrealloc(void *ptr, size_t size) + { + void *ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) { +- ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) +- die("Out of memory, realloc failed"); +- } ++ if (!ret) ++ die("Out of memory, realloc failed"); + return ret; + } + diff --git a/queue-5.15/mac80211-mlme-check-for-null-after-calling-kmemdup.patch b/queue-5.15/mac80211-mlme-check-for-null-after-calling-kmemdup.patch new file mode 100644 index 00000000000..0ffeab3441f --- /dev/null +++ b/queue-5.15/mac80211-mlme-check-for-null-after-calling-kmemdup.patch @@ -0,0 +1,118 @@ +From a72c01a94f1d285a274219d36e2a17b4846c0615 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 5 Jan 2022 16:15:59 +0800 +Subject: mac80211: mlme: check for null after calling kmemdup + +From: Jiasheng Jiang + +commit a72c01a94f1d285a274219d36e2a17b4846c0615 upstream. + +As the possible failure of the alloc, the ifmgd->assoc_req_ies might be +NULL pointer returned from kmemdup(). +Therefore it might be better to free the skb and return error in order +to fail the association, like ieee80211_assoc_success(). +Also, the caller, ieee80211_do_assoc(), needs to deal with the return +value from ieee80211_send_assoc(). + +Fixes: 4d9ec73d2b78 ("cfg80211: Report Association Request frame IEs in association events") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220105081559.2387083-1-jiasheng@iscas.ac.cn +[fix some paths to be errors, not success] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -664,7 +664,7 @@ static void ieee80211_add_he_ie(struct i + ieee80211_ie_build_he_6ghz_cap(sdata, skb); + } + +-static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata) ++static int ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata) + { + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; +@@ -684,6 +684,7 @@ static void ieee80211_send_assoc(struct + enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif); + const struct ieee80211_sband_iftype_data *iftd; + struct ieee80211_prep_tx_info info = {}; ++ int ret; + + /* we know it's writable, cast away the const */ + if (assoc_data->ie_len) +@@ -697,7 +698,7 @@ static void ieee80211_send_assoc(struct + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + if (WARN_ON(!chanctx_conf)) { + rcu_read_unlock(); +- return; ++ return -EINVAL; + } + chan = chanctx_conf->def.chan; + rcu_read_unlock(); +@@ -748,7 +749,7 @@ static void ieee80211_send_assoc(struct + (iftd ? iftd->vendor_elems.len : 0), + GFP_KERNEL); + if (!skb) +- return; ++ return -ENOMEM; + + skb_reserve(skb, local->hw.extra_tx_headroom); + +@@ -1029,15 +1030,22 @@ skip_rates: + skb_put_data(skb, assoc_data->ie + offset, noffset - offset); + } + +- if (assoc_data->fils_kek_len && +- fils_encrypt_assoc_req(skb, assoc_data) < 0) { +- dev_kfree_skb(skb); +- return; ++ if (assoc_data->fils_kek_len) { ++ ret = fils_encrypt_assoc_req(skb, assoc_data); ++ if (ret < 0) { ++ dev_kfree_skb(skb); ++ return ret; ++ } + } + + pos = skb_tail_pointer(skb); + kfree(ifmgd->assoc_req_ies); + ifmgd->assoc_req_ies = kmemdup(ie_start, pos - ie_start, GFP_ATOMIC); ++ if (!ifmgd->assoc_req_ies) { ++ dev_kfree_skb(skb); ++ return -ENOMEM; ++ } ++ + ifmgd->assoc_req_ies_len = pos - ie_start; + + drv_mgd_prepare_tx(local, sdata, &info); +@@ -1047,6 +1055,8 @@ skip_rates: + IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS | + IEEE80211_TX_INTFL_MLME_CONN_TX; + ieee80211_tx_skb(sdata, skb); ++ ++ return 0; + } + + void ieee80211_send_pspoll(struct ieee80211_local *local, +@@ -4451,6 +4461,7 @@ static int ieee80211_do_assoc(struct iee + { + struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data; + struct ieee80211_local *local = sdata->local; ++ int ret; + + sdata_assert_lock(sdata); + +@@ -4471,7 +4482,9 @@ static int ieee80211_do_assoc(struct iee + sdata_info(sdata, "associate with %pM (try %d/%d)\n", + assoc_data->bss->bssid, assoc_data->tries, + IEEE80211_ASSOC_MAX_TRIES); +- ieee80211_send_assoc(sdata); ++ ret = ieee80211_send_assoc(sdata); ++ if (ret) ++ return ret; + + if (!ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) { + assoc_data->timeout = jiffies + IEEE80211_ASSOC_TIMEOUT; diff --git a/queue-5.15/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch b/queue-5.15/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch new file mode 100644 index 00000000000..361a4f337a6 --- /dev/null +++ b/queue-5.15/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch @@ -0,0 +1,49 @@ +From c832962ac972082b3a1f89775c9d4274c8cb5670 Mon Sep 17 00:00:00 2001 +From: Oleksandr Mazur +Date: Tue, 15 Feb 2022 18:53:03 +0200 +Subject: net: bridge: multicast: notify switchdev driver whenever MC processing gets disabled + +From: Oleksandr Mazur + +commit c832962ac972082b3a1f89775c9d4274c8cb5670 upstream. + +Whenever bridge driver hits the max capacity of MDBs, it disables +the MC processing (by setting corresponding bridge option), but never +notifies switchdev about such change (the notifiers are called only upon +explicit setting of this option, through the registered netlink interface). + +This could lead to situation when Software MDB processing gets disabled, +but this event never gets offloaded to the underlying Hardware. + +Fix this by adding a notify message in such case. + +Fixes: 147c1e9b902c ("switchdev: bridge: Offload multicast disabled") +Signed-off-by: Oleksandr Mazur +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20220215165303.31908-1-oleksandr.mazur@plvision.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -82,6 +82,9 @@ static void br_multicast_find_del_pg(str + struct net_bridge_port_group *pg); + static void __br_multicast_stop(struct net_bridge_mcast *brmctx); + ++static int br_mc_disabled_update(struct net_device *dev, bool value, ++ struct netlink_ext_ack *extack); ++ + static struct net_bridge_port_group * + br_sg_port_find(struct net_bridge *br, + struct net_bridge_port_group_sg_key *sg_p) +@@ -1156,6 +1159,7 @@ struct net_bridge_mdb_entry *br_multicas + return mp; + + if (atomic_read(&br->mdb_hash_tbl.nelems) >= br->hash_max) { ++ br_mc_disabled_update(br->dev, false, NULL); + br_opt_toggle(br, BROPT_MULTICAST_ENABLED, false); + return ERR_PTR(-E2BIG); + } diff --git a/queue-5.15/net-dsa-lan9303-add-vlan-ids-to-master-device.patch b/queue-5.15/net-dsa-lan9303-add-vlan-ids-to-master-device.patch new file mode 100644 index 00000000000..ca1118c7532 --- /dev/null +++ b/queue-5.15/net-dsa-lan9303-add-vlan-ids-to-master-device.patch @@ -0,0 +1,75 @@ +From 430065e2671905ac675f97b7af240cc255964e93 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 16 Feb 2022 20:48:18 +0000 +Subject: net: dsa: lan9303: add VLAN IDs to master device + +From: Mans Rullgard + +commit 430065e2671905ac675f97b7af240cc255964e93 upstream. + +If the master device does VLAN filtering, the IDs used by the switch +must be added for any frames to be received. Do this in the +port_enable() function, and remove them in port_disable(). + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Florian Fainelli +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220216204818.28746-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/Kconfig | 1 + + drivers/net/dsa/lan9303-core.c | 11 +++++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/Kconfig ++++ b/drivers/net/dsa/Kconfig +@@ -81,6 +81,7 @@ config NET_DSA_REALTEK_SMI + + config NET_DSA_SMSC_LAN9303 + tristate ++ depends on VLAN_8021Q || VLAN_8021Q=n + select NET_DSA_TAG_LAN9303 + select REGMAP + help +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + + #include "lan9303.h" +@@ -1083,21 +1084,27 @@ static void lan9303_adjust_link(struct d + static int lan9303_port_enable(struct dsa_switch *ds, int port, + struct phy_device *phy) + { ++ struct dsa_port *dp = dsa_to_port(ds, port); + struct lan9303 *chip = ds->priv; + +- if (!dsa_is_user_port(ds, port)) ++ if (!dsa_port_is_user(dp)) + return 0; + ++ vlan_vid_add(dp->cpu_dp->master, htons(ETH_P_8021Q), port); ++ + return lan9303_enable_processing_port(chip, port); + } + + static void lan9303_port_disable(struct dsa_switch *ds, int port) + { ++ struct dsa_port *dp = dsa_to_port(ds, port); + struct lan9303 *chip = ds->priv; + +- if (!dsa_is_user_port(ds, port)) ++ if (!dsa_port_is_user(dp)) + return; + ++ vlan_vid_del(dp->cpu_dp->master, htons(ETH_P_8021Q), port); ++ + lan9303_disable_processing_port(chip, port); + lan9303_phy_write(ds, chip->phy_addr_base + port, MII_BMCR, BMCR_PDOWN); + } diff --git a/queue-5.15/net-dsa-lan9303-fix-reset-on-probe.patch b/queue-5.15/net-dsa-lan9303-fix-reset-on-probe.patch new file mode 100644 index 00000000000..d8e59cfa996 --- /dev/null +++ b/queue-5.15/net-dsa-lan9303-fix-reset-on-probe.patch @@ -0,0 +1,36 @@ +From 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 9 Feb 2022 14:54:54 +0000 +Subject: net: dsa: lan9303: fix reset on probe + +From: Mans Rullgard + +commit 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 upstream. + +The reset input to the LAN9303 chip is active low, and devicetree +gpio handles reflect this. Therefore, the gpio should be requested +with an initial state of high in order for the reset signal to be +asserted. Other uses of the gpio already use the correct polarity. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fianelil +Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -1309,7 +1309,7 @@ static int lan9303_probe_reset_gpio(stru + struct device_node *np) + { + chip->reset_gpio = devm_gpiod_get_optional(chip->dev, "reset", +- GPIOD_OUT_LOW); ++ GPIOD_OUT_HIGH); + if (IS_ERR(chip->reset_gpio)) + return PTR_ERR(chip->reset_gpio); + diff --git a/queue-5.15/net-dsa-lan9303-handle-hwaccel-vlan-tags.patch b/queue-5.15/net-dsa-lan9303-handle-hwaccel-vlan-tags.patch new file mode 100644 index 00000000000..d7aae66225b --- /dev/null +++ b/queue-5.15/net-dsa-lan9303-handle-hwaccel-vlan-tags.patch @@ -0,0 +1,69 @@ +From 017b355bbdc6620fd8fe05fe297f553ce9d855ee Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 16 Feb 2022 12:46:34 +0000 +Subject: net: dsa: lan9303: handle hwaccel VLAN tags + +From: Mans Rullgard + +commit 017b355bbdc6620fd8fe05fe297f553ce9d855ee upstream. + +Check for a hwaccel VLAN tag on rx and use it if present. Otherwise, +use __skb_vlan_pop() like the other tag parsers do. This fixes the case +where the VLAN tag has already been consumed by the master. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220216124634.23123-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/tag_lan9303.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/net/dsa/tag_lan9303.c ++++ b/net/dsa/tag_lan9303.c +@@ -77,7 +77,6 @@ static struct sk_buff *lan9303_xmit(stru + + static struct sk_buff *lan9303_rcv(struct sk_buff *skb, struct net_device *dev) + { +- __be16 *lan9303_tag; + u16 lan9303_tag1; + unsigned int source_port; + +@@ -87,14 +86,15 @@ static struct sk_buff *lan9303_rcv(struc + return NULL; + } + +- lan9303_tag = dsa_etype_header_pos_rx(skb); +- +- if (lan9303_tag[0] != htons(ETH_P_8021Q)) { +- dev_warn_ratelimited(&dev->dev, "Dropping packet due to invalid VLAN marker\n"); +- return NULL; ++ if (skb_vlan_tag_present(skb)) { ++ lan9303_tag1 = skb_vlan_tag_get(skb); ++ __vlan_hwaccel_clear_tag(skb); ++ } else { ++ skb_push_rcsum(skb, ETH_HLEN); ++ __skb_vlan_pop(skb, &lan9303_tag1); ++ skb_pull_rcsum(skb, ETH_HLEN); + } + +- lan9303_tag1 = ntohs(lan9303_tag[1]); + source_port = lan9303_tag1 & 0x3; + + skb->dev = dsa_master_find_slave(dev, 0, source_port); +@@ -103,13 +103,6 @@ static struct sk_buff *lan9303_rcv(struc + return NULL; + } + +- /* remove the special VLAN tag between the MAC addresses +- * and the current ethertype field. +- */ +- skb_pull_rcsum(skb, 2 + 2); +- +- dsa_strip_etype_header(skb, LAN9303_TAG_LEN); +- + if (!(lan9303_tag1 & LAN9303_TAG_RX_TRAPPED_TO_CPU)) + dsa_default_offload_fwd_mark(skb); + diff --git a/queue-5.15/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch b/queue-5.15/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch new file mode 100644 index 00000000000..9857a1c2b10 --- /dev/null +++ b/queue-5.15/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch @@ -0,0 +1,34 @@ +From 8c6ae46150a453f8ae9a6cd49b45f354f478587d Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Tue, 15 Feb 2022 13:42:48 +0300 +Subject: net: dsa: lantiq_gswip: fix use after free in gswip_remove() + +From: Alexey Khoroshilov + +commit 8c6ae46150a453f8ae9a6cd49b45f354f478587d upstream. + +of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be +done before mdiobus_free(priv->ds->slave_mii_bus). + +Signed-off-by: Alexey Khoroshilov +Fixes: 0d120dfb5d67 ("net: dsa: lantiq_gswip: don't use devres for mdiobus") +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/1644921768-26477-1-git-send-email-khoroshilov@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lantiq_gswip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -2201,8 +2201,8 @@ static int gswip_remove(struct platform_ + + if (priv->ds->slave_mii_bus) { + mdiobus_unregister(priv->ds->slave_mii_bus); +- mdiobus_free(priv->ds->slave_mii_bus); + of_node_put(priv->ds->slave_mii_bus->dev.of_node); ++ mdiobus_free(priv->ds->slave_mii_bus); + } + + for (i = 0; i < priv->num_gphy_fw; i++) diff --git a/queue-5.15/net-dsa-mv88e6xxx-flush-switchdev-fdb-workqueue-before-removing-vlan.patch b/queue-5.15/net-dsa-mv88e6xxx-flush-switchdev-fdb-workqueue-before-removing-vlan.patch new file mode 100644 index 00000000000..81202f284d3 --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-flush-switchdev-fdb-workqueue-before-removing-vlan.patch @@ -0,0 +1,81 @@ +From a2614140dc0f467a83aa3bb4b6ee2d6480a76202 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Fri, 11 Feb 2022 19:45:06 +0200 +Subject: net: dsa: mv88e6xxx: flush switchdev FDB workqueue before removing VLAN + +From: Vladimir Oltean + +commit a2614140dc0f467a83aa3bb4b6ee2d6480a76202 upstream. + +mv88e6xxx is special among DSA drivers in that it requires the VTU to +contain the VID of the FDB entry it modifies in +mv88e6xxx_port_db_load_purge(), otherwise it will return -EOPNOTSUPP. + +Sometimes due to races this is not always satisfied even if external +code does everything right (first deletes the FDB entries, then the +VLAN), because DSA commits to hardware FDB entries asynchronously since +commit c9eb3e0f8701 ("net: dsa: Add support for learning FDB through +notification"). + +Therefore, the mv88e6xxx driver must close this race condition by +itself, by asking DSA to flush the switchdev workqueue of any FDB +deletions in progress, prior to exiting a VLAN. + +Fixes: c9eb3e0f8701 ("net: dsa: Add support for learning FDB through notification") +Reported-by: Rafael Richter +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++++ + include/net/dsa.h | 1 + + net/dsa/dsa.c | 1 + + net/dsa/dsa_priv.h | 1 - + 4 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2291,6 +2291,13 @@ static int mv88e6xxx_port_vlan_del(struc + if (!mv88e6xxx_max_vid(chip)) + return -EOPNOTSUPP; + ++ /* The ATU removal procedure needs the FID to be mapped in the VTU, ++ * but FDB deletion runs concurrently with VLAN deletion. Flush the DSA ++ * switchdev workqueue to ensure that all FDB entries are deleted ++ * before we remove the VLAN. ++ */ ++ dsa_flush_workqueue(); ++ + mv88e6xxx_reg_lock(chip); + + err = mv88e6xxx_port_get_pvid(chip, port, &pvid); +--- a/include/net/dsa.h ++++ b/include/net/dsa.h +@@ -1056,6 +1056,7 @@ void dsa_unregister_switch(struct dsa_sw + int dsa_register_switch(struct dsa_switch *ds); + void dsa_switch_shutdown(struct dsa_switch *ds); + struct dsa_switch *dsa_switch_find(int tree_index, int sw_index); ++void dsa_flush_workqueue(void); + #ifdef CONFIG_PM_SLEEP + int dsa_switch_suspend(struct dsa_switch *ds); + int dsa_switch_resume(struct dsa_switch *ds); +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -349,6 +349,7 @@ void dsa_flush_workqueue(void) + { + flush_workqueue(dsa_owq); + } ++EXPORT_SYMBOL_GPL(dsa_flush_workqueue); + + int dsa_devlink_param_get(struct devlink *dl, u32 id, + struct devlink_param_gset_ctx *ctx) +--- a/net/dsa/dsa_priv.h ++++ b/net/dsa/dsa_priv.h +@@ -170,7 +170,6 @@ void dsa_tag_driver_put(const struct dsa + const struct dsa_device_ops *dsa_find_tagger_by_name(const char *buf); + + bool dsa_schedule_work(struct work_struct *work); +-void dsa_flush_workqueue(void); + const char *dsa_tag_protocol_to_str(const struct dsa_device_ops *ops); + + static inline int dsa_tag_protocol_overhead(const struct dsa_device_ops *ops) diff --git a/queue-5.15/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch b/queue-5.15/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch new file mode 100644 index 00000000000..7942a6c5a52 --- /dev/null +++ b/queue-5.15/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch @@ -0,0 +1,36 @@ +From bdc120a2bcd834e571ce4115aaddf71ab34495de Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 1 Feb 2022 19:06:26 +0100 +Subject: net: ieee802154: ca8210: Fix lifs/sifs periods + +From: Miquel Raynal + +commit bdc120a2bcd834e571ce4115aaddf71ab34495de upstream. + +These periods are expressed in time units (microseconds) while 40 and 12 +are the number of symbol durations these periods will last. We need to +multiply them both with the symbol_duration in order to get these +values in microseconds. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220201180629.93410-2-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2977,8 +2977,8 @@ static void ca8210_hw_setup(struct ieee8 + ca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND; + ca8210_hw->phy->cca_ed_level = -9800; + ca8210_hw->phy->symbol_duration = 16; +- ca8210_hw->phy->lifs_period = 40; +- ca8210_hw->phy->sifs_period = 12; ++ ca8210_hw->phy->lifs_period = 40 * ca8210_hw->phy->symbol_duration; ++ ca8210_hw->phy->sifs_period = 12 * ca8210_hw->phy->symbol_duration; + ca8210_hw->flags = + IEEE802154_HW_AFILT | + IEEE802154_HW_OMIT_CKSUM | diff --git a/queue-5.15/net-phy-mediatek-remove-phy-mode-check-on-mt7531.patch b/queue-5.15/net-phy-mediatek-remove-phy-mode-check-on-mt7531.patch new file mode 100644 index 00000000000..bc0a4621838 --- /dev/null +++ b/queue-5.15/net-phy-mediatek-remove-phy-mode-check-on-mt7531.patch @@ -0,0 +1,43 @@ +From 525b108e6d95b643eccbd84fb10aa9aa101b18dd Mon Sep 17 00:00:00 2001 +From: DENG Qingfang +Date: Wed, 9 Feb 2022 22:39:47 +0800 +Subject: net: phy: mediatek: remove PHY mode check on MT7531 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: DENG Qingfang + +commit 525b108e6d95b643eccbd84fb10aa9aa101b18dd upstream. + +The function mt7531_phy_mode_supported in the DSA driver set supported +mode to PHY_INTERFACE_MODE_GMII instead of PHY_INTERFACE_MODE_INTERNAL +for the internal PHY, so this check breaks the PHY initialization: + +mt7530 mdio-bus:00 wan (uninitialized): failed to connect to PHY: -EINVAL + +Remove the check to make it work again. + +Reported-by: Hauke Mehrtens +Fixes: e40d2cca0189 ("net: phy: add MediaTek Gigabit Ethernet PHY driver") +Signed-off-by: DENG Qingfang +Acked-by: Arınç ÜNAL +Tested-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mediatek-ge.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/phy/mediatek-ge.c ++++ b/drivers/net/phy/mediatek-ge.c +@@ -55,9 +55,6 @@ static int mt7530_phy_config_init(struct + + static int mt7531_phy_config_init(struct phy_device *phydev) + { +- if (phydev->interface != PHY_INTERFACE_MODE_INTERNAL) +- return -EINVAL; +- + mtk_gephy_config_init(phydev); + + /* PHY link down power saving enable */ diff --git a/queue-5.15/net-smc-avoid-overwriting-the-copies-of-clcsock-callback-functions.patch b/queue-5.15/net-smc-avoid-overwriting-the-copies-of-clcsock-callback-functions.patch new file mode 100644 index 00000000000..beed5063e51 --- /dev/null +++ b/queue-5.15/net-smc-avoid-overwriting-the-copies-of-clcsock-callback-functions.patch @@ -0,0 +1,66 @@ +From 1de9770d121ee9294794cca0e0be8fbfa0134ee8 Mon Sep 17 00:00:00 2001 +From: Wen Gu +Date: Wed, 9 Feb 2022 22:10:53 +0800 +Subject: net/smc: Avoid overwriting the copies of clcsock callback functions + +From: Wen Gu + +commit 1de9770d121ee9294794cca0e0be8fbfa0134ee8 upstream. + +The callback functions of clcsock will be saved and replaced during +the fallback. But if the fallback happens more than once, then the +copies of these callback functions will be overwritten incorrectly, +resulting in a loop call issue: + +clcsk->sk_error_report + |- smc_fback_error_report() <------------------------------| + |- smc_fback_forward_wakeup() | (loop) + |- clcsock_callback() (incorrectly overwritten) | + |- smc->clcsk_error_report() ------------------| + +So this patch fixes the issue by saving these function pointers only +once in the fallback and avoiding overwriting. + +Reported-by: syzbot+4de3c0e8a263e1e499bc@syzkaller.appspotmail.com +Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback") +Link: https://lore.kernel.org/r/0000000000006d045e05d78776f6@google.com +Signed-off-by: Wen Gu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -649,14 +649,17 @@ static void smc_fback_error_report(struc + static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) + { + struct sock *clcsk; ++ int rc = 0; + + mutex_lock(&smc->clcsock_release_lock); + if (!smc->clcsock) { +- mutex_unlock(&smc->clcsock_release_lock); +- return -EBADF; ++ rc = -EBADF; ++ goto out; + } + clcsk = smc->clcsock->sk; + ++ if (smc->use_fallback) ++ goto out; + smc->use_fallback = true; + smc->fallback_rsn = reason_code; + smc_stat_fallback(smc); +@@ -683,8 +686,9 @@ static int smc_switch_to_fallback(struct + smc->clcsock->sk->sk_user_data = + (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); + } ++out: + mutex_unlock(&smc->clcsock_release_lock); +- return 0; ++ return rc; + } + + /* fall back during connect */ diff --git a/queue-5.15/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch b/queue-5.15/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch new file mode 100644 index 00000000000..dea7192718c --- /dev/null +++ b/queue-5.15/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch @@ -0,0 +1,327 @@ +From 5891cd5ec46c2c2eb6427cb54d214b149635dd0e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 11 Feb 2022 12:06:23 -0800 +Subject: net_sched: add __rcu annotation to netdev->qdisc + +From: Eric Dumazet + +commit 5891cd5ec46c2c2eb6427cb54d214b149635dd0e upstream. + +syzbot found a data-race [1] which lead me to add __rcu +annotations to netdev->qdisc, and proper accessors +to get LOCKDEP support. + +[1] +BUG: KCSAN: data-race in dev_activate / qdisc_lookup_rcu + +write to 0xffff888168ad6410 of 8 bytes by task 13559 on cpu 1: + attach_default_qdiscs net/sched/sch_generic.c:1167 [inline] + dev_activate+0x2ed/0x8f0 net/sched/sch_generic.c:1221 + __dev_open+0x2e9/0x3a0 net/core/dev.c:1416 + __dev_change_flags+0x167/0x3f0 net/core/dev.c:8139 + rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3150 + __rtnl_newlink net/core/rtnetlink.c:3489 [inline] + rtnl_newlink+0xf4d/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888168ad6410 of 8 bytes by task 13560 on cpu 0: + qdisc_lookup_rcu+0x30/0x2e0 net/sched/sch_api.c:323 + __tcf_qdisc_find+0x74/0x3a0 net/sched/cls_api.c:1050 + tc_del_tfilter+0x1c7/0x1350 net/sched/cls_api.c:2211 + rtnetlink_rcv_msg+0x5ba/0x7e0 net/core/rtnetlink.c:5585 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffffffff85dee080 -> 0xffff88815d96ec00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 13560 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 470502de5bdb ("net: sched: unlock rules update API") +Signed-off-by: Eric Dumazet +Cc: Vlad Buslov +Reported-by: syzbot +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 2 +- + net/core/rtnetlink.c | 6 ++++-- + net/sched/cls_api.c | 6 +++--- + net/sched/sch_api.c | 22 ++++++++++++---------- + net/sched/sch_generic.c | 29 ++++++++++++++++------------- + 5 files changed, 36 insertions(+), 29 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2149,7 +2149,7 @@ struct net_device { + struct netdev_queue *_tx ____cacheline_aligned_in_smp; + unsigned int num_tx_queues; + unsigned int real_num_tx_queues; +- struct Qdisc *qdisc; ++ struct Qdisc __rcu *qdisc; + unsigned int tx_queue_len; + spinlock_t tx_global_lock; + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1698,6 +1698,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + { + struct ifinfomsg *ifm; + struct nlmsghdr *nlh; ++ struct Qdisc *qdisc; + + ASSERT_RTNL(); + nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags); +@@ -1715,6 +1716,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + if (tgt_netnsid >= 0 && nla_put_s32(skb, IFLA_TARGET_NETNSID, tgt_netnsid)) + goto nla_put_failure; + ++ qdisc = rtnl_dereference(dev->qdisc); + if (nla_put_string(skb, IFLA_IFNAME, dev->name) || + nla_put_u32(skb, IFLA_TXQLEN, dev->tx_queue_len) || + nla_put_u8(skb, IFLA_OPERSTATE, +@@ -1733,8 +1735,8 @@ static int rtnl_fill_ifinfo(struct sk_bu + #endif + put_master_ifindex(skb, dev) || + nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) || +- (dev->qdisc && +- nla_put_string(skb, IFLA_QDISC, dev->qdisc->ops->id)) || ++ (qdisc && ++ nla_put_string(skb, IFLA_QDISC, qdisc->ops->id)) || + nla_put_ifalias(skb, dev) || + nla_put_u32(skb, IFLA_CARRIER_CHANGES, + atomic_read(&dev->carrier_up_count) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1044,7 +1044,7 @@ static int __tcf_qdisc_find(struct net * + + /* Find qdisc */ + if (!*parent) { +- *q = dev->qdisc; ++ *q = rcu_dereference(dev->qdisc); + *parent = (*q)->handle; + } else { + *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent)); +@@ -2587,7 +2587,7 @@ static int tc_dump_tfilter(struct sk_buf + + parent = tcm->tcm_parent; + if (!parent) +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + else + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); + if (!q) +@@ -2962,7 +2962,7 @@ static int tc_dump_chain(struct sk_buff + return skb->len; + + if (!tcm->tcm_parent) +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + else + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -301,7 +301,7 @@ struct Qdisc *qdisc_lookup(struct net_de + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rtnl_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -320,7 +320,7 @@ struct Qdisc *qdisc_lookup_rcu(struct ne + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rcu_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -1082,10 +1082,10 @@ static int qdisc_graft(struct net_device + skip: + if (!ingress) { + notify_and_destroy(net, skb, n, classid, +- dev->qdisc, new); ++ rtnl_dereference(dev->qdisc), new); + if (new && !new->ops->attach) + qdisc_refcount_inc(new); +- dev->qdisc = new ? : &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc); + + if (new && new->ops->attach) + new->ops->attach(new); +@@ -1460,7 +1460,7 @@ static int tc_get_qdisc(struct sk_buff * + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + if (!q) { + NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device"); +@@ -1549,7 +1549,7 @@ replay: + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + + /* It may be default qdisc, ignore it */ +@@ -1771,7 +1771,8 @@ static int tc_dump_qdisc(struct sk_buff + s_q_idx = 0; + q_idx = 0; + +- if (tc_dump_qdisc_root(dev->qdisc, skb, cb, &q_idx, s_q_idx, ++ if (tc_dump_qdisc_root(rtnl_dereference(dev->qdisc), ++ skb, cb, &q_idx, s_q_idx, + true, tca[TCA_DUMP_INVISIBLE]) < 0) + goto done; + +@@ -2042,7 +2043,7 @@ static int tc_ctl_tclass(struct sk_buff + } else if (qid1) { + qid = qid1; + } else if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + + /* Now qid is genuine qdisc handle consistent + * both with parent and child. +@@ -2053,7 +2054,7 @@ static int tc_ctl_tclass(struct sk_buff + portid = TC_H_MAKE(qid, portid); + } else { + if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + } + + /* OK. Locate qdisc */ +@@ -2214,7 +2215,8 @@ static int tc_dump_tclass(struct sk_buff + s_t = cb->args[0]; + t = 0; + +- if (tc_dump_tclass_root(dev->qdisc, skb, tcm, cb, &t, s_t, true) < 0) ++ if (tc_dump_tclass_root(rtnl_dereference(dev->qdisc), ++ skb, tcm, cb, &t, s_t, true) < 0) + goto done; + + dev_queue = dev_ingress_queue(dev); +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1114,30 +1114,33 @@ static void attach_default_qdiscs(struct + if (!netif_is_multiqueue(dev) || + dev->priv_flags & IFF_NO_QUEUE) { + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); +- dev->qdisc = txq->qdisc_sleeping; +- qdisc_refcount_inc(dev->qdisc); ++ qdisc = txq->qdisc_sleeping; ++ rcu_assign_pointer(dev->qdisc, qdisc); ++ qdisc_refcount_inc(qdisc); + } else { + qdisc = qdisc_create_dflt(txq, &mq_qdisc_ops, TC_H_ROOT, NULL); + if (qdisc) { +- dev->qdisc = qdisc; ++ rcu_assign_pointer(dev->qdisc, qdisc); + qdisc->ops->attach(qdisc); + } + } ++ qdisc = rtnl_dereference(dev->qdisc); + + /* Detect default qdisc setup/init failed and fallback to "noqueue" */ +- if (dev->qdisc == &noop_qdisc) { ++ if (qdisc == &noop_qdisc) { + netdev_warn(dev, "default qdisc (%s) fail, fallback to %s\n", + default_qdisc_ops->id, noqueue_qdisc_ops.id); + dev->priv_flags |= IFF_NO_QUEUE; + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); +- dev->qdisc = txq->qdisc_sleeping; +- qdisc_refcount_inc(dev->qdisc); ++ qdisc = txq->qdisc_sleeping; ++ rcu_assign_pointer(dev->qdisc, qdisc); ++ qdisc_refcount_inc(qdisc); + dev->priv_flags ^= IFF_NO_QUEUE; + } + + #ifdef CONFIG_NET_SCHED +- if (dev->qdisc != &noop_qdisc) +- qdisc_hash_add(dev->qdisc, false); ++ if (qdisc != &noop_qdisc) ++ qdisc_hash_add(qdisc, false); + #endif + } + +@@ -1167,7 +1170,7 @@ void dev_activate(struct net_device *dev + * and noqueue_qdisc for virtual interfaces + */ + +- if (dev->qdisc == &noop_qdisc) ++ if (rtnl_dereference(dev->qdisc) == &noop_qdisc) + attach_default_qdiscs(dev); + + if (!netif_carrier_ok(dev)) +@@ -1333,7 +1336,7 @@ static int qdisc_change_tx_queue_len(str + void dev_qdisc_change_real_num_tx(struct net_device *dev, + unsigned int new_real_tx) + { +- struct Qdisc *qdisc = dev->qdisc; ++ struct Qdisc *qdisc = rtnl_dereference(dev->qdisc); + + if (qdisc->ops->change_real_num_tx) + qdisc->ops->change_real_num_tx(qdisc, new_real_tx); +@@ -1373,7 +1376,7 @@ static void dev_init_scheduler_queue(str + + void dev_init_scheduler(struct net_device *dev) + { +- dev->qdisc = &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + netdev_for_each_tx_queue(dev, dev_init_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + dev_init_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +@@ -1401,8 +1404,8 @@ void dev_shutdown(struct net_device *dev + netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + shutdown_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +- qdisc_put(dev->qdisc); +- dev->qdisc = &noop_qdisc; ++ qdisc_put(rtnl_dereference(dev->qdisc)); ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + + WARN_ON(timer_pending(&dev->watchdog_timer)); + } diff --git a/queue-5.15/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch b/queue-5.15/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch new file mode 100644 index 00000000000..09b328a824a --- /dev/null +++ b/queue-5.15/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch @@ -0,0 +1,32 @@ +From 2b4e5fb4d3776c391e40fb33673ba946dd96012d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 10 Feb 2022 10:06:42 +0100 +Subject: netfilter: nft_synproxy: unregister hooks on init error path + +From: Pablo Neira Ayuso + +commit 2b4e5fb4d3776c391e40fb33673ba946dd96012d upstream. + +Disable the IPv4 hooks if the IPv6 hooks fail to be registered. + +Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_synproxy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const st + if (err) + goto nf_ct_failure; + err = nf_synproxy_ipv6_init(snet, ctx->net); +- if (err) ++ if (err) { ++ nf_synproxy_ipv4_fini(snet, ctx->net); + goto nf_ct_failure; ++ } + break; + } + diff --git a/queue-5.15/netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch b/queue-5.15/netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch new file mode 100644 index 00000000000..7f478952f23 --- /dev/null +++ b/queue-5.15/netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch @@ -0,0 +1,34 @@ +From 75063c9294fb239bbe64eb72141b6871fe526d29 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 8 Feb 2022 18:30:43 -0800 +Subject: netfilter: xt_socket: fix a typo in socket_mt_destroy() + +From: Eric Dumazet + +commit 75063c9294fb239bbe64eb72141b6871fe526d29 upstream. + +Calling nf_defrag_ipv4_disable() instead of nf_defrag_ipv6_disable() +was probably not the intent. + +I found this by code inspection, while chasing a possible issue in TPROXY. + +Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed") +Signed-off-by: Eric Dumazet +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -221,7 +221,7 @@ static void socket_mt_destroy(const stru + if (par->family == NFPROTO_IPV4) + nf_defrag_ipv4_disable(par->net); + else if (par->family == NFPROTO_IPV6) +- nf_defrag_ipv4_disable(par->net); ++ nf_defrag_ipv6_disable(par->net); + } + + static struct xt_match socket_mt_reg[] __read_mostly = { diff --git a/queue-5.15/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch b/queue-5.15/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch new file mode 100644 index 00000000000..a0f4f37f5c6 --- /dev/null +++ b/queue-5.15/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch @@ -0,0 +1,50 @@ +From 31ded1535e3182778a1d0e5c32711f55da3bc512 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Wed, 16 Feb 2022 16:01:00 -0300 +Subject: perf bpf: Defer freeing string after possible strlen() on it + +From: Arnaldo Carvalho de Melo + +commit 31ded1535e3182778a1d0e5c32711f55da3bc512 upstream. + +This was detected by the gcc in Fedora Rawhide's gcc: + + 50 11.01 fedora:rawhide : FAIL gcc version 12.0.1 20220205 (Red Hat 12.0.1-0) (GCC) + inlined from 'bpf__config_obj' at util/bpf-loader.c:1242:9: + util/bpf-loader.c:1225:34: error: pointer 'map_opt' may be used after 'free' [-Werror=use-after-free] + 1225 | *key_scan_pos += strlen(map_opt); + | ^~~~~~~~~~~~~~~ + util/bpf-loader.c:1223:9: note: call to 'free' here + 1223 | free(map_name); + | ^~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +So do the calculations on the pointer before freeing it. + +Fixes: 04f9bf2bac72480c ("perf bpf-loader: Add missing '*' for key_scan_pos") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Wang ShaoBo +Link: https://lore.kernel.org/lkml/Yg1VtQxKrPpS3uNA@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/bpf-loader.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/bpf-loader.c ++++ b/tools/perf/util/bpf-loader.c +@@ -1214,9 +1214,10 @@ bpf__obj_config_map(struct bpf_object *o + pr_debug("ERROR: Invalid map config option '%s'\n", map_opt); + err = -BPF_LOADER_ERRNO__OBJCONF_MAP_OPT; + out: +- free(map_name); + if (!err) + *key_scan_pos += strlen(map_opt); ++ ++ free(map_name); + return err; + } + diff --git a/queue-5.15/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch b/queue-5.15/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch new file mode 100644 index 00000000000..555d5c0b58d --- /dev/null +++ b/queue-5.15/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch @@ -0,0 +1,78 @@ +From 35a79e64de29e8d57a5989aac57611c0cd29e13e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 16 Feb 2022 00:20:52 -0500 +Subject: ping: fix the dif and sdif check in ping_lookup + +From: Xin Long + +commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream. + +When 'ping' changes to use PING socket instead of RAW socket by: + + # sysctl -w net.ipv4.ping_group_range="0 100" + +There is another regression caused when matching sk_bound_dev_if +and dif, RAW socket is using inet_iif() while PING socket lookup +is using skb->dev->ifindex, the cmd below fails due to this: + + # ip link add dummy0 type dummy + # ip link set dummy0 up + # ip addr add 192.168.111.1/24 dev dummy0 + # ping -I dummy0 192.168.111.1 -c1 + +The issue was also reported on: + + https://github.com/iputils/iputils/issues/104 + +But fixed in iputils in a wrong way by not binding to device when +destination IP is on device, and it will cause some of kselftests +to fail, as Jianlin noticed. + +This patch is to use inet(6)_iif and inet(6)_sdif to get dif and +sdif for PING socket, and keep consistent with RAW socket. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -172,16 +172,23 @@ static struct sock *ping_lookup(struct n + struct sock *sk = NULL; + struct inet_sock *isk; + struct hlist_nulls_node *hnode; +- int dif = skb->dev->ifindex; ++ int dif, sdif; + + if (skb->protocol == htons(ETH_P_IP)) { ++ dif = inet_iif(skb); ++ sdif = inet_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI4, dif = %d\n", + (int)ident, &ip_hdr(skb)->daddr, dif); + #if IS_ENABLED(CONFIG_IPV6) + } else if (skb->protocol == htons(ETH_P_IPV6)) { ++ dif = inet6_iif(skb); ++ sdif = inet6_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI6c, dif = %d\n", + (int)ident, &ipv6_hdr(skb)->daddr, dif); + #endif ++ } else { ++ pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol)); ++ return NULL; + } + + read_lock_bh(&ping_table.lock); +@@ -221,7 +228,7 @@ static struct sock *ping_lookup(struct n + } + + if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && +- sk->sk_bound_dev_if != inet_sdif(skb)) ++ sk->sk_bound_dev_if != sdif) + continue; + + sock_hold(sk); diff --git a/queue-5.15/revert-net-ethernet-bgmac-use-devm_platform_ioremap_resource_byname.patch b/queue-5.15/revert-net-ethernet-bgmac-use-devm_platform_ioremap_resource_byname.patch new file mode 100644 index 00000000000..1750b9d13df --- /dev/null +++ b/queue-5.15/revert-net-ethernet-bgmac-use-devm_platform_ioremap_resource_byname.patch @@ -0,0 +1,73 @@ +From 6aba04ee3263669b335458c4cf4c7d97d6940229 Mon Sep 17 00:00:00 2001 +From: Jonas Gorski +Date: Wed, 16 Feb 2022 10:46:34 -0800 +Subject: Revert "net: ethernet: bgmac: Use devm_platform_ioremap_resource_byname" + +From: Jonas Gorski + +commit 6aba04ee3263669b335458c4cf4c7d97d6940229 upstream. + +This reverts commit 3710e80952cf2dc48257ac9f145b117b5f74e0a5. + +Since idm_base and nicpm_base are still optional resources not present +on all platforms, this breaks the driver for everything except Northstar +2 (which has both). + +The same change was already reverted once with 755f5738ff98 ("net: +broadcom: fix a mistake about ioremap resource"). + +So let's do it again. + +Fixes: 3710e80952cf ("net: ethernet: bgmac: Use devm_platform_ioremap_resource_byname") +Signed-off-by: Jonas Gorski +[florian: Added comments to explain the resources are optional] +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220216184634.2032460-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac-platform.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bgmac-platform.c ++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c +@@ -172,6 +172,7 @@ static int bgmac_probe(struct platform_d + { + struct device_node *np = pdev->dev.of_node; + struct bgmac *bgmac; ++ struct resource *regs; + int ret; + + bgmac = bgmac_alloc(&pdev->dev); +@@ -208,15 +209,23 @@ static int bgmac_probe(struct platform_d + if (IS_ERR(bgmac->plat.base)) + return PTR_ERR(bgmac->plat.base); + +- bgmac->plat.idm_base = devm_platform_ioremap_resource_byname(pdev, "idm_base"); +- if (IS_ERR(bgmac->plat.idm_base)) +- return PTR_ERR(bgmac->plat.idm_base); +- else ++ /* The idm_base resource is optional for some platforms */ ++ regs = platform_get_resource_byname(pdev, IORESOURCE_MEM, "idm_base"); ++ if (regs) { ++ bgmac->plat.idm_base = devm_ioremap_resource(&pdev->dev, regs); ++ if (IS_ERR(bgmac->plat.idm_base)) ++ return PTR_ERR(bgmac->plat.idm_base); + bgmac->feature_flags &= ~BGMAC_FEAT_IDM_MASK; ++ } + +- bgmac->plat.nicpm_base = devm_platform_ioremap_resource_byname(pdev, "nicpm_base"); +- if (IS_ERR(bgmac->plat.nicpm_base)) +- return PTR_ERR(bgmac->plat.nicpm_base); ++ /* The nicpm_base resource is optional for some platforms */ ++ regs = platform_get_resource_byname(pdev, IORESOURCE_MEM, "nicpm_base"); ++ if (regs) { ++ bgmac->plat.nicpm_base = devm_ioremap_resource(&pdev->dev, ++ regs); ++ if (IS_ERR(bgmac->plat.nicpm_base)) ++ return PTR_ERR(bgmac->plat.nicpm_base); ++ } + + bgmac->read = platform_bgmac_read; + bgmac->write = platform_bgmac_write; diff --git a/queue-5.15/selftests-exec-add-non-regular-to-test_gen_progs.patch b/queue-5.15/selftests-exec-add-non-regular-to-test_gen_progs.patch new file mode 100644 index 00000000000..599d3f60a55 --- /dev/null +++ b/queue-5.15/selftests-exec-add-non-regular-to-test_gen_progs.patch @@ -0,0 +1,40 @@ +From a7e793a867ae312cecdeb6f06cceff98263e75dd Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Thu, 10 Feb 2022 22:13:23 +0500 +Subject: selftests/exec: Add non-regular to TEST_GEN_PROGS + +From: Muhammad Usama Anjum + +commit a7e793a867ae312cecdeb6f06cceff98263e75dd upstream. + +non-regular file needs to be compiled and then copied to the output +directory. Remove it from TEST_PROGS and add it to TEST_GEN_PROGS. This +removes error thrown by rsync when non-regular object isn't found: + +rsync: [sender] link_stat "/linux/tools/testing/selftests/exec/non-regular" failed: No such file or directory (2) +rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1333) [sender=3.2.3] + +Fixes: 0f71241a8e32 ("selftests/exec: add file type errno tests") +Reported-by: "kernelci.org bot" +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: Shuah Khan +Reviewed-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/exec/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/exec/Makefile ++++ b/tools/testing/selftests/exec/Makefile +@@ -3,8 +3,8 @@ CFLAGS = -Wall + CFLAGS += -Wno-nonnull + CFLAGS += -D_GNU_SOURCE + +-TEST_PROGS := binfmt_script non-regular +-TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 ++TEST_PROGS := binfmt_script ++TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 non-regular + TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir + # Makefile is a run-time dependency, since it's accessed by the execveat test + TEST_FILES := Makefile diff --git a/queue-5.15/selftests-netfilter-disable-rp_filter-on-router.patch b/queue-5.15/selftests-netfilter-disable-rp_filter-on-router.patch new file mode 100644 index 00000000000..836c24a1a16 --- /dev/null +++ b/queue-5.15/selftests-netfilter-disable-rp_filter-on-router.patch @@ -0,0 +1,51 @@ +From bbe4c0896d25009a7c86285d2ab024eed4374eea Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Thu, 10 Feb 2022 17:50:56 +0800 +Subject: selftests: netfilter: disable rp_filter on router + +From: Hangbin Liu + +commit bbe4c0896d25009a7c86285d2ab024eed4374eea upstream. + +Some distros may enable rp_filter by default. After ns1 change addr to +10.0.2.99 and set default router to 10.0.2.1, while the connected router +address is still 10.0.1.1. The router will not reply the arp request +from ns1. Fix it by setting the router's veth0 rp_filter to 0. + +Before the fix: + # ./nft_fib.sh + PASS: fib expression did not cause unwanted packet drops + Netns nsrouter-HQkDORO2 fib counter doesn't match expected packet count of 1 for 1.1.1.1 + table inet filter { + chain prerouting { + type filter hook prerouting priority filter; policy accept; + ip daddr 1.1.1.1 fib saddr . iif oif missing counter packets 0 bytes 0 drop + ip6 daddr 1c3::c01d fib saddr . iif oif missing counter packets 0 bytes 0 drop + } + } + +After the fix: + # ./nft_fib.sh + PASS: fib expression did not cause unwanted packet drops + PASS: fib expression did drop packets for 1.1.1.1 + PASS: fib expression did drop packets for 1c3::c01d + +Fixes: 82944421243e ("selftests: netfilter: add fib test case") +Signed-off-by: Yi Chen +Signed-off-by: Hangbin Liu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/netfilter/nft_fib.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/netfilter/nft_fib.sh ++++ b/tools/testing/selftests/netfilter/nft_fib.sh +@@ -174,6 +174,7 @@ test_ping() { + ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null + ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null + ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null ++ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null + + sleep 3 + diff --git a/queue-5.15/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch b/queue-5.15/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch new file mode 100644 index 00000000000..7e5fa3ed2f8 --- /dev/null +++ b/queue-5.15/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch @@ -0,0 +1,33 @@ +From 2e71ec1a725a794a16e3862791ed43fe5ba6a06b Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Wed, 9 Feb 2022 16:25:51 +0800 +Subject: selftests: netfilter: fix exit value for nft_concat_range + +From: Hangbin Liu + +commit 2e71ec1a725a794a16e3862791ed43fe5ba6a06b upstream. + +When the nft_concat_range test failed, it exit 1 in the code +specifically. + +But when part of, or all of the test passed, it will failed the +[ ${passed} -eq 0 ] check and thus exit with 1, which is the same +exit value with failure result. Fix it by exit 0 when passed is not 0. + +Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation") +Signed-off-by: Hangbin Liu +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/netfilter/nft_concat_range.sh ++++ b/tools/testing/selftests/netfilter/nft_concat_range.sh +@@ -1583,4 +1583,4 @@ for name in ${TESTS}; do + done + done + +-[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} ++[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} || exit 0 diff --git a/queue-5.15/series b/queue-5.15/series index 07bdfb5debc..cf02577d7ea 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -67,3 +67,42 @@ drm-i915-fix-dbuf-slice-config-lookup.patch drm-i915-fix-mbus-join-config-lookup.patch vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch optee-use-driver-internal-tee_context-for-some-rpc.patch +drm-cma-helper-set-vm_dontexpand-for-mmap.patch +drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch +drm-i915-ttm-tweak-priority-hint-selection.patch +iwlwifi-pcie-fix-locking-when-hw-not-ready.patch +iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch +iwlwifi-mvm-don-t-send-sar-geo-command-for-3160-devices.patch +netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch +selftests-netfilter-fix-exit-value-for-nft_concat_range.patch +netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch +selftests-netfilter-disable-rp_filter-on-router.patch +ipv4-fix-data-races-in-fib_alias_hw_flags_set.patch +ipv6-fix-data-race-in-fib6_info_hw_flags_set-fib6_purge_rt.patch +ipv6-mcast-use-rcu-safe-version-of-ipv6_get_lladdr.patch +ipv6-per-netns-exclusive-flowlabel-checks.patch +revert-net-ethernet-bgmac-use-devm_platform_ioremap_resource_byname.patch +mac80211-mlme-check-for-null-after-calling-kmemdup.patch +brcmfmac-firmware-fix-crash-in-brcm_alt_fw_path.patch +cfg80211-fix-race-in-netlink-owner-interface-destruction.patch +net-dsa-lan9303-fix-reset-on-probe.patch +net-dsa-mv88e6xxx-flush-switchdev-fdb-workqueue-before-removing-vlan.patch +net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch +net-dsa-lan9303-handle-hwaccel-vlan-tags.patch +net-dsa-lan9303-add-vlan-ids-to-master-device.patch +net-ieee802154-ca8210-fix-lifs-sifs-periods.patch +ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch +bonding-force-carrier-update-when-releasing-slave.patch +drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch +net_sched-add-__rcu-annotation-to-netdev-qdisc.patch +bonding-fix-data-races-around-agg_select_timer.patch +libsubcmd-fix-use-after-free-for-realloc-...-0.patch +net-smc-avoid-overwriting-the-copies-of-clcsock-callback-functions.patch +net-phy-mediatek-remove-phy-mode-check-on-mt7531.patch +atl1c-fix-tx-timeout-after-link-flap-on-mikrotik-10-25g-nic.patch +tipc-fix-wrong-publisher-node-address-in-link-publications.patch +dpaa2-switch-fix-default-return-of-dpaa2_switch_flower_parse_mirror_key.patch +dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch +net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch +perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch +selftests-exec-add-non-regular-to-test_gen_progs.patch diff --git a/queue-5.15/tipc-fix-wrong-publisher-node-address-in-link-publications.patch b/queue-5.15/tipc-fix-wrong-publisher-node-address-in-link-publications.patch new file mode 100644 index 00000000000..c1499db741d --- /dev/null +++ b/queue-5.15/tipc-fix-wrong-publisher-node-address-in-link-publications.patch @@ -0,0 +1,39 @@ +From 032062f363b4bf02b1d547f329aa5d97b6a17410 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Sun, 13 Feb 2022 20:38:52 -0500 +Subject: tipc: fix wrong publisher node address in link publications + +From: Jon Maloy + +commit 032062f363b4bf02b1d547f329aa5d97b6a17410 upstream. + +When a link comes up we add its presence to the name table to make it +possible for users to subscribe for link up/down events. However, after +a previous call signature change the binding is wrongly published with +the peer node as publishing node, instead of the own node as it should +be. This has the effect that the command 'tipc name table show' will +list the link binding (service type 2) with node scope and a peer node +as originator, something that obviously is impossible. + +We correct this bug here. + +Fixes: 50a3499ab853 ("tipc: simplify signature of tipc_namtbl_publish()") +Signed-off-by: Jon Maloy +Link: https://lore.kernel.org/r/20220214013852.2803940-1-jmaloy@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -413,7 +413,7 @@ static void tipc_node_write_unlock(struc + tipc_uaddr(&ua, TIPC_SERVICE_RANGE, TIPC_NODE_SCOPE, + TIPC_LINK_STATE, n->addr, n->addr); + sk.ref = n->link_id; +- sk.node = n->addr; ++ sk.node = tipc_own_addr(net); + bearer_id = n->link_id & 0xffff; + publ_list = &n->publ_list; + -- 2.47.3